Businesses need to be aware that cyber security experts have proclaimed that USB’s are critically flawed and pose a variety of security hazards to organisations. With this in mind, it is advised that Businesses should set security polices and an acceptable use policy to protect USB ports in today’s business.
Karsten Nohl and Jakob Lell, researchers based in Berlin have recently demonstrated to the BBC how as USB device could be used in a malicious way to infect a user’s computer without their knowledge. They go on to mention that USB’s are critically flawed as they can host and transport a variety of hacking software that can be used to target specific business with no way for the end user to defend themselves against the vulnerability.
An example of how USB’s are critically flawed can be seen through the Stuxnet attack on Iranian nuclear centrifuges which was believed to have been caused by an infected USB stick. Cloud Host, reported in 2012 that this attack “did not spread via email or the Web, but only across LANs or by infecting USB drives plugged into an infected machine. While spreading, it used multiple mechanisms to avoid detection by AV software. Its device drivers were digitally signed with a genuine certificate stolen from a Taiwanese company. It also evaded AV heuristics using a sophisticated technique to work around the dependence of heuristic analysis on LoadLibrary activity”.
Nohl and Lell have commented that new attacks can be contained on a seemingly empty USB device and can be used specifically “as a way of getting viruses and other malicious code onto target computers.” They have gone even further to comment that these viruses can be contained on any type of device as long as it connects via a USB port; this includes mobile phones, external hard drives, headphones and speakers. Nohl told journalists that the situation “will affect us, a little bit, every day, for the next 10 years” and that “you can never trust anything anymore after plugging in a USB stick.”
To show that USB’s are critically flawed, Nohl and Lell demonstrated at the latest ‘Black Hat’ hackers conference in Las Vegas how “malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in” and that “after just a few moments, the ‘keyboard’ began typing in commands – and instructed the computer to download a malicious program from the internet”.
Taking this research into account, businesses should create a security and acceptable usage policy to protect USB ports and to stop their employees plugging in any forms of USB’s. Users should be aware that even if they believe the USB to be safe, it may have been infected in the past and could be spreading a virus wherever it plugs in.
If you’d like assistance in creating a security and acceptable usage policy for your company, speak to one of our IT Consultants today who can sit down with you and create a document tailored to your business and its needs.