USB devices have been with us in their present form for over a quarter century yet remain one of those rare technologies to succeed and remain relatively intact despite Moore’s Law (that the number of transistors in a dense integrated circuit (IC) doubles about every two years) and the ongoing technological revolution. The incredible success of the USB is because of its flexibility as a data interface, enabling peripherals and portable storage devices. However, it suffers from a lack of the fine-grained controls that security professionals demand from a modern communication port.
Many security leaders consider the threat from USBs to have been managed by employing Data Leak Prevention (DLP) technology to identify and block the transmission of sensitive data–unfortunately, not all attacks are simply about data loss.
Most cyber-attacks start via email, but recent activity shows that criminals also see value and opportunities for successful attacks via the USB channel. Proofpoint’s 2022 State of the Phish report also confirms this uptick. More than half (54%) of global organizations reported USB-based attacks in 2021, up more than 15 percent from 2020.
Most security leaders do not consider simply blocking or banning USBs from their environment as an acceptable option. So many computing components use USB for mouse and keyboard input, or for webcam connectivity, and staff rely on it to charge their personal devices. CISOs tend to perceive the threat as coming from data loss and feel comfortable when DLP is in place. We know that not all DLP is created equal, and it can be a heavy burden to maintain a decent DLP policy, so it’s worrying that this is not the only attack path.
Attack models
Historically, USB attacks were just an alternative transport path for malicious files, perhaps containing Microsoft Office documents with malicious macros, or for temptingly clickable executables. Their ability to bypass several layers of the control infrastructure and deliver the malware directly to the endpoint was a massive bonus (for the attacker) but this was slightly undermined because USB attacks have a larger latency than email attacks, so endpoint protection could be updated and potentially block the attack before it even arrived.
More recent attacks have moved to HID (Human Interface Device) Spoofing, where the USB stick pretends to be a keyboard. As it is inserted, the stick registers as a keyboard/mouse and delivers commands, automating an attack as if the hacker were sitting at a desk. It is this BadUSB technique that FIN7 used to start the first stages of their recent ransomware attack.
The advent of an attack called USBKill was even more destructive, although much more localised. It turned the USB stick into a voltage injector, capable of deploying a power surge that would fry the motherboard and render the data on the PC unrecoverable. While this could be merely annoying in the corporate environment, its potential for disruption in an operational technology environment cannot be understated.
Reviewing the potential for harm to your enterprise from the lowly USB port is an advisable step, but it is important to seek practicality in your solution.
According to Proofpoint’s 2021 Voice of the CISO report 70 percent of CISOs in UAE still consider human error to be their organisation’s biggest cyber vulnerability. CISOs in the UAE listed using unauthorised devices, tools such as USBs, and applications as the most likely ways employees put their business at risk.
Firms seek to whitelist software to control what it may execute. This is a laudable control, but lacks the pragmatism essential when managing the security of a fast-moving global organisation.
Data Loss Prevention is essential, but its effectiveness must be grounded in solid technical controls and applied automatically in a well-maintained data environment operated by staff trained in data security.
This leads us back to the user. The flexibility of USB has ensured it has maintained its position in the tech stack. Accordingly, attackers will seek ways to engineer their malware, physically and socially, to take advantage of that universal accessibility. A well-educated workforce – aware of their responsibilities, understanding the threats, and continuously informed of the latest defences – will provide the best protection.
Andrew Rose is the resident CISO for EMEA at Proofpoint
