The Danger of USB Keys: Weighing Security and Convenience
The following article is from guest contributor Raj Bakhru, CFA, Chief Executive Officer at Aponix Financial Technologists.
At Aponix Financial Technologists, we often find ourselves speaking to our clients about the risks around USB storage device access of external drives or USB keys. While convenient file transfer tools, they can also be quite dangerous to a firm's operations. Our argument for blocking access historically has been two-fold:
Intellectual Property (IP) concerns: It's obviously very easy for confidential or proprietary data to leave the firm via USB keys.
Malware concerns: It's easy for infected malware to enter the firm via files existing on a USB key brought from home or other unmanaged or unprotected systems.
Earlier this month, though, the "BadUSB" exploit was released to the public. A few months ago, white hat (ethical) hackers demonstrated that USB key firmware could be overwritten and effectively sabotaged to allow the USB key to perform some very malicious actions, e.g. taking control of the computer's mouse and keyboard, among other things. USB keys affected by this exploit become weapons of destruction and data breaches, and, as the hackers demonstrated, the malicious code can be extremely well-hidden on the USB key. In fact, given the exploit resides on the USB key's firmware, deleting all the contents of the USB key has no impact on removing the malicious code. It is currently unknown how many USB devices suffer from this vulnerability, but the expectation is that it will be years before device manufacturers correct devices and the existing vulnerable devices are no longer in use.
This exploit has added ammunition to the fire against USB keys in firms. Like many security decisions, security and convenience face off against each other with this decision, but perhaps the security concerns outweigh the convenience for your firm. Firms should discuss their need for USB keys and the policy around enabling them, and if so desired, disabling access to USB storage devices is relatively quick and easy for your IT provider. We have had a number of our clients reconsider their USB policy in light of this new exploit and decide to move forward with a more secure policy.
Read more about this exploit at Wired: www.wired.com/2014/07/usb-security/
About the Author
Raj Bakhru, CFA is the Chief Executive Officer of Aponix Financial Technologists. Aponix Financial Technologists provides technology and cyber-security risk assessments, vendor due diligence, network testing, phishing testing and staff security training, information security documentation, and advisory for financial firms. Learn more at www.aponixft.com.