How USB Sticks Cause Data Breach, Malware Woes

Half of businesses have lost sensitive or confidential information due to USB memory sticks, with many incidents involving those infected with malware.

Strategic Security Survey: Global Threat, Local Pain (click image for larger view and for full slideshow)
In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks.
Those findings come from a new survey of 743 IT and information security professionals, conducted by Ponemon Institute in July, and sponsored by flash memory manufacturer Kingston Digital.
Seemingly mindful of the information security and intellectual property risks, not all organizations permit the use of USB drives. Indeed, 36% of the survey respondents--who include employees at government agencies--said their approach to USB drives was total lockdown through the use of a software solution to block the usage of USB ports.
But for most organizations, the study found, the use of USB drives is widespread. In addition, about half of surveyed organizations have policies that detail how employees can use USB drives to store sensitive or confidential information. But only half of those organizations actually enforce the policies. Meanwhile, only 21% of organizations with USB device security policies on the books use data loss prevention tools, and only 13% use network analysis technology to spot inappropriate use of USB drives.
On a related note, according to the study, 75% of respondents said they wouldnt pay a premium to ensure that USB drives are safe and secure. Unsurprisingly, 74% said they didnt use data loss prevention software to detect when confidential or sensitive information was being copied to the devices, or to monitor USB drives for viruses or malware. Nearly as many also dont have policies governing how USB drives are used, and dont see protecting information on USB drives as a top priority.
As with any storage device, data loss via USB thumb drives isnt new, and many survey respondents suspect that such losses often
dont get reported
. So far this year, according to the Identity Theft Resource Center, only five USB-related breaches have come to light, one of which included the theft of an unencrypted USB drive from the Family Planning Council in Philadelphia, which contained 70,000 records, in late 2010.
USB drives that are used as an attack mechanism also arent new. Indeed, some experts have surmised, based on the pattern by which
Stuxnet spread
, that it initially infected only a handful of computers--and likely via a USB thumb drive.
Part of the difficulty in securing USB drives, perhaps, is that theyre so common as to be unremarkable. In one test conducted earlier this year, for example, Department of Homeland Security staff scattered USB keys, some with the departments logo, around government and private contractor parking lots. Of the people who picked them up,
according to Bloomberg
, 60% later plugged the devices into their computer, although 90% of people whod picked up a USB key with an official DHS logo plugged them in.
The study was cited as a failure of people to properly assess the threat posed by USB drives of unknown origin. But Bruce Schneier, chief security technology officer of BT, said the real issue involves operating systems. The problem isnt that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good, he said in a
blog post
. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isnt safe to plug a USB stick into a computer.
When might operating systems catch up? Sixty percent of organizations, according to the Ponemon survey, take a hands-off approach to USB drives because they dont want to hamper workers productivity. Accordingly, any approach to encrypting such devices arguably needs to be seamless.
Already, removable storage devices can be
encrypted in Windows 7
, using BitLocker, on a per-device basis. In addition, commercial and open source software add-ons will automatically encrypt removable devices.
Meanwhile, the latest version of Apples operation system, OS X 10.7, aka Lion, includes a feature called FileVault2, which will
fully encrypt
--using XTS-AES 128 encryption--not just hard drives, but also USB storage devices. Theres no default option, however, for requiring a drive to be encrypted. As with Windows 7 BitLocker, each external storage device must be encrypted on a per-item basis, using Apples Disk Utility software. When so formatted, the drive requires a password when its first connected to a Mac, or disconnected and reconnected, or else it cant be accessed.
In other words, the latest versions of Windows and Mac OS X enable users to encrypt their USB drives. But until they view USB drive encryption as a priority, will they encrypt, and should they have to bother?
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Heres how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own companys security ignores the bigger picture.
Download it now
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How USB Sticks Cause Data Breach, Malware Woes