How a simple USB stick can threaten your corporate network
Ever found an USB stick in your letter box, at your desk or on the street? What would you do with it? Yes, you’d probably check what’s in there.
But wait…
Have you ever thought about the potential risks you could incur by exploring the content on a stranger’s USB device? Especially if the USB device is connected in an environment where sensitive information and data are available and accessible?
If not, then let me tell you about a true story which I heard from a friend a few years ago.
As you may know business related data theft is (unfortunately) becoming a common security risk and in most cases the illegitimate knowledge transfer is performed through a simple USB trick.
Most USB devices belong to legitimate users, so how and why would a user insert a USB stick containing malicious code into a machine which is connected to a corporate network?
Often social engineering tricks are required to reach such targets, however, any social engineering activity can only be successful if the victim trusts you and you are able to convince him to perform the steps required to activate malicious code on the target machine.
Going ahead with the story…
One day someone placed several USB devices in or near specific cars in a car park. These cars belonged to the managers of a successful business company. One of the managers who found one of these USB devices was curious enough to check what was on the device. So without taking any precautions he plugged the USB device into his laptop and this automatically enabled the Trojan that was stored on the USB. It was “Game over” for the poor victim as his laptop was infected; however, the more serious part of the story is that he may well have put his company at risk without even realising.
Any software that controls endpoint connections such as USB devices and manages to either grant or deny access to the corporate system would be of great help to an administrator so as to avoid the injection of malicious code into a clean corporate network.
By blocking access for people to connect unauthorised devices into the corporate network you would prevent unnecessary risks for any company. Furthermore implementing endpoint security software allows your administrator to be notified about any breaches of these existing company policies.
Well to say, the GFI End point Security software worked well when i used it trial. So i thinks it handles issues like this properly…………
I think that the “innocent” business manager might have actually dodged a bullet. It would’ve been a completely different story if the malware contained in that USB was designed to transmit confidential information. In the grand scheme of things, compromised files of a single laptop are peanuts compared to losing trade secrets to competitors. It may sound like something straight out of a spy film, but corporate espionage has gotten to a point where people don’t think twice about profiting from pilfered data.
@Harrison
I’d think you were absolutely bonkers if I didn’t work in retail marketing for over three years before moving into software. A close co-worker of mine, out of the blue, was called into the office of an executive and left with his bags packing. I only later found out that he was photocopying sensitive corporate strategies and selling them off to our competitors. True story. Having thought I had known the man pretty well, but it does feel lifted out of a spy film when you realize that you don’t really know what the people you’re working with are capable of.
A friend of mine who’s been working in advertising told me this crazy story about how some conniving companies use freebies to pilfer confidential information from their clients and customers. As a supposedly “harmless” give away, the company thought of giving out custom-print USB drives to their valued customers. What they didn’t mention, however, was that these drives came pre-loaded with software designed to transmit purchasing habits of their customers. Though my friend wasn’t willing to divulge the name of the company behind it, he was keen on mentioning that they were in an industry where their customers weren’t expected to be tech savvy at all, and not be suspicious of activity like this.
Because of threats like this, a lot of managers have considered shutting out USB functionality altogether. But I firmly believe that this is a counter productive approach towards security. By shutting out your staff from using another means of making them more productive and more efficient would be much like any other virus or malware shutting it down itself. Although most security specialists believe that cutting off the head of a snake is the best way to kill it, maybe that analogy doesn’t necessarily apply here.
A lot of my co-workers have begun utilizing password protected USB drives to prevent from remote tampering of the device itself. Management in our company has deemed it to be so effective, that password protected USB drives are being given out for free as company property for staff use. Password protected USB drives may not be better than not misplacing the drive itself, but it’s at least an additional security measure.
I was just wondering if the article was posted as a complete piece. Although it seems to read like a finished article, on my browser I see unfilled bullet points underneath the posting. Being quite interested on the subject matter of USB based security vulnerabilities, I was wondering if maybe some additional points were meant to be included in the article which were not included in the final blog post.