USB storage devices are ubiquitous in organizations. Flash drives, external hard drives, and memory cards provide users with a convenient way to copy, store, and share data. However, these devices can also present risk to an organization’s sensitive data from careless and malicious users.
For example, attackers may target “curious” users through USB Drop Attacks where USB sticks containing malware are mailed to organizations or simply left on the ground near an organization’s headquarters.
Malicious insiders often use portable storage devices for data exfiltration. In a 2022 report by Ponemon, 50 percent of the respondents reported that malicious insiders used unauthorized external storage devices like USB drives to steal data. Examples are quite simple to find:
The UK’s Information Commissioner’s Office fined Heathrow Airport £120,000 over a lost USB memory stick that held unencrypted personal information on Heathrow security personnel.
An IT employee at a UK nuclear complex was fired after she left several memory sticks containing classified information in a car park at the facility. She claimed the unencrypted software was necessary to allow her “work at home on her own computer after managers locked away official unencrypted USB drivers by 4.30pm for security reasons.”
An IT technician in Japan left work with two USB drives containing personal information on all 460,000 citizens of the city of Amagasaki. Unfortunately, after a long night of drinking at a local izakaya, he awoke in the morning without the drives. A frantic search located the drives days later.
What Can Organizations Do?
Security and IT professionals recognize the risk to sensitive data through uncontrolled use of these devices. Managing this with legacy DLP solutions can be challenging. Determining which users can access and move which classes of data using granular rules requires constant oversight and adjustments. This is difficult for large organizations and puts undue demands on mid-sized organizations with smaller security teams.
However, with the right DLP solution there are simple strategies organizations can adopt to protect against the loss of sensitive data via USB storage devices.
1. Device Control: Look for a solution that can enforce control over USB storage devices by implementing policies that allow or restrict their usage. Administrators can define rules to allow only authorized USB devices or block specific types of devices altogether. This prevents unauthorized or potentially malicious USB devices from being connected to the system.
2. Content Inspection: Use a solution that can scan the data being transferred to USB storage devices to detect or block the transfer of sensitive or confidential information. To be effective, this should not require pre-classification of data. Real time inspection and classification – as used in Reveal – classifies data as it is created and used.
3. Behavioral Analysis: At times, data transfers to USB devices are legitimate. Rather than requiring granular rules that result in inevitable false positives (and false negatives!), some DLP solutions can employ behavioral analysis techniques to identify unusual or suspicious activities. For example, if a user suddenly starts copying a large volume of sensitive data to a USB device or if they attempt to transfer abnormal file types, it may trigger alerts or actions to prevent potential data theft.
How Reveal Helps
Next Reveal can distinguish between authorized and unauthorized USB devices to prevent users from mounting unauthorized USB drives that may contain malware and prevent users from copying sensitive information to unauthorized devices. In turn, administrators receive alerts when new devices are discovered, including CDs, DVDs, SD Cards, cameras, printers, wireless, and gaming devices.
Real time content inspection and classification on the endpoint identifies sensitive data such as intellectual property, PHI, and PII as it is created and used to block unauthorized users from moving it to USB-enabled devices while still allowing transfer of files locally. AI and machine learning on the endpoint allows Reveal to make faster decisions to train employees and stop data loss.
Importantly, Reveal helps educate users to make better decisions by providing incident-based training. Pop-ups reinforce corporate security policies and can require acknowledgement of corporate policies or block actions.
Want to learn more? Contact the data loss prevention experts at Next and see how easy it is to implement Reveal.
Frequently asked questions
What are the primary risks associated with USB storage devices?
USB storage devices, like flash drives and external hard drives, present significant risks to organizations' sensitive data. They increase the risk of data exfiltration by malicious insiders, accidental data loss by negligent users, and potential malware infections from USB drop attacks, where attackers distribute malware-infected USB devices to unsuspecting employees.
How do USB drop attacks work, and why are they dangerous?
USB drop attacks involve attackers leaving malware-infected USB devices in areas where employees are likely to find them, such as parking lots or near an organization's headquarters. Curious or unsuspecting employees may pick up these devices and connect them to their work computers, inadvertently introducing malware into the organization's network.
How can we prevent data loss through USB devices?
Organizations can adopt several strategies to prevent data loss through USB devices, including:
Implementing policies that restrict the use of USB devices. These policies should only allow authorized devices to connect to the system.
Scanning data before it transfers to a USB in real time to block the transfer of sensitive information.
Using behavioral analysis to spot suspicious activity involving USB devices. If caught in time, many systems can trigger alerts that prevent data theft.
How does USB device control work?
With device control, administrators prevent unauthorized USB devices by defining rules that only permit authorized USB connections. This can include blocking specific types of devices, preventing unauthorized or potentially malicious USB devices, and ensuring that only approved devices are used for data transfers.
How does a DLP prevent USB-related data loss?
A DLP like Next Reveal helps organizations control the devices in their systems through:
Distinguishing between authorized and unauthorized devices
