So …. are you still using USB storage devices ?

 

This was a question my friend asked me last week as it turned out his company suddenly wanted to block them from being used and he could not understand why and was in fact rather annoyed. After I had sat down and explained to him the risks of USB devices, I thought this would make a great post for the blog

What are USB storage devices?

They can range from a flash drive to a hard drive in a box, this post will concentrate on the small flash drives but equally applies to the other devices .

Flash drives have become so popular because they use little power, have no fragile moving parts are small, light and cheap. Data stored on flash drives is impervious to mechanical shock, magnetic fields, scratches and dust. These properties make them great for transporting data from place to place and keeping the data readily at hand.

I remember when the first flash drives were just 8 MB  but they have since massively increased to 516 GB or even 1 TB. A 64 GB for example already holds a massive amount of information (Examples can be seen here https://www.ebay.co.uk/gds/What-Size-USB-Flash-Drive-Should-You-Buy-/10000000177330128/g.html)

So what risks ?

These devices as mentioned are small and can contain a vast amount of data, so look out for the following risks

They can easily be lost or stolen which can lead to an accidental of data

They can be used by malicious insiders at a company to easily extract a large amount of confidential company information.

They can bypass most of the network security controls (such as the firewall, proxy, mail security gateway etc)  and accidentally (or maliciously) introduce malware onto your computer. This is particularly relevant if a USB device is shared between work devices and home (which probably has far less security than at work)

 

The first risk applies to everyone from home user to a company employee. Using an encrypted USB device will help if the device is lost (as long as you have used a strong password .. more on this in a future post)

I usually advise a company that does not want to block USB devices to at least only allow approved company encrypted devices to be plugged into a device and to block any other makes of USB devices.

Blocking USB devices is the best and most cost-effective way to stop company data loss via these devices. They also give an additional benefit of preventing the  third risk of introducing malware

One question I get from company bosses is the third risk does not really apply to their company as they have anti-virus. It may come as some surprise to you that anti-virus is not 100% effective and does not always pick up the latest malware. (http://www.slate.com/articles/technology/future_tense/2017/02/why_you_can_t_depend_on_antivirus_software_anymore.html)

My recommendations

If you are a company ..block the devices and use a cloud business service (OneDrive, Dropbox, Google Drive)  to store company data (more on this in a later post). Allow only a few exceptions which must use a company approved and monitored device

For home use, by all means, use an encrypted USB device but be aware it can be lost so make sure that you have a backup of your data elsewhere.

Hacking then phishing – kicking a person when they’re down!

Today we’re going to highlight two issues for the price of one. Not bad for a Monday!

Firstly we have the recent admission by British Airways that criminals had hacked their website and personal details – including bank card numbers – of about 380,000 customers had been compromised. To add insult to injury, it took them 15 days to realise then warn customers so they can take action, by which time a huge amount of fraudulent transactions could have been conducted by the criminals and whoever they sold the card data to. If only they had an effective Security Operations Centre like other multi-national (really should) have!

Secondly, the fact that BA contacted their customers by email – and the possibility of this being exploited by other criminal groups – was debated by my fellow security professionals last week, so I thought I’d check my spam folder in my personal email account. Imagine my surprise when I spotted the attached message! It took a few moments but we found a few indicators of a phishing email (“return to” address was very suspicious, suspicious hyperlinks not going to BA website, minor grammatical errors in text, the promise of two freeplane tickets being unrealistic for half a million customers, etc.).

Would you have spotted it?

So there we have it, a quick and simple introduction into how one criminal group can quickly jump on the bandwagon and exploit another criminal group’s actions, praying on people easily exploited as they’re placed under pressure dealing with the first problem. Talk about kicking a person when they’re down!