The last thing Australian phone company Telstra expected when it presented at computer security conference AusCERT 2008 this past May was to be a source of malware. Attendees at that session were given a USB memory device loaded with promotional information – and, unknown to them, an auto-run, self-installing Trojan horse.
"Telstra handed out USB sticks which they didn't know were infected,” says Claire Groves, the marketing manager of AusCERT. “As soon as they found out they recalled them."
Luckily for Telstra, the damage was simply to its image. The malware was detected almost immediately, and all the USB devices were returned safely, according to Telstra spokesman John Short.
“No one was harmed, we very quickly contained any of the possible damage,” claims Short. “We're taking steps to ensure this won't happen again.” Short didn't comment on just what steps, or how this could have happened in the first place.
Passing out free USB memory devices as promotional items, sometimes with information loaded on them, is a common occurrence, and the fact is they have quickly become ubiquitous. Convenience is important when doing business, and the USB ports on computers are as convenient as computer access can get. USB devices make it possible to take your work along anywhere and use any computer to work on it, pass large amounts of information to others in a handy-to-carry format, and then transport it back to your home or work computer. That's the good news.
Watch out for security holes
The bad news is it's potentially one of the worst security holes you have -- and chances are you're not doing anything about it. According to the 2008 Information Security Breaches Survey from PricewaterhouseCoopers, 67 percent of companies surveyed do nothing to prevent the transfer of confidential data on USB plug-ins, including flash memory sticks, iPods and MP3 players, external drives, handhelds, and similar devices.
According to a Gartner study, USB and Firewire portable storage devices pose two kinds of threats:
They allow users to bypass company network defenses, including firewalls and e-mail server anti-malware, and potentially introduce malware from the inside.
Portable storage devices allow employees and intruders to remove sensitive information from an organization's otherwise secure premises.
Since the malware enters the network from an internal device, it may go undetected until significant damage is caused. Information removed can include health data, embarrassing corporate secrets, intellectual property, employee and customer identities, and pretty much anything that is digitized on your servers.
Confidential information compromised by either of these threats can involve privacy laws at the state and federal levels, dictating large fines. An organization's reputation, and thereby its ability to attract new investors or customers, might be damaged or even destroyed.
Frustration to IT managers
The problem can be a real frustration to IT departments. There have even been reports IT managers gluing the USB ports shut, most notably at Los Alamos National Labs, where a simple drug raid led to the discovery of a USB stick in the possession of a former lab employee which contained classified nuclear weapons data. Their solution? Glue the ports shut.
“I've heard some business people say that when it comes to USB security questions, epoxy is awfully cheap,” says Ted Doty, product line manager, for Cisco'sCisco Security Agent (CSA) product. “But while it's not necessarily the best approach, you may be losing sleep at night over what kind of data is going out through all these media.”
Doty describes the situation as “this tension between security and usability. What if your workers need to use USB for legitimate business? At what point do I start turning my users into my worst enemy?”
Blocking or disabling the USB ports on each workstation may seem like a quick fix, but the advantages of using USB for legitimate business purposes can quickly outweigh the need to simply eliminate it as an option. Better to deploy a solution that gives you more control of USB and Firewire ports.
Options like the Cisco Security Agent, Centennial Software's DeviceWall or TriGeo's USB-Defender can watch all ports on all workstations, with the ability to log each device as it's plugged in, and selectively block any data from entering or leaving, such as credit card or social security numbers, or entire documents. An alternative is something like McAfee's newly released Encrypted USB flash and hard drives with special security features like AES 256 security and the capability of two-factor encryption. This encryption can include RSA tokens or biometric security in addition to passwords.
But however you address the problem, do make sure you take some kind of measures. The growing risk of portable storage devices as a security hole is simply not something any responsible business can ignore.
“You need to see exactly what is entering and leaving via all forms of media, as well as the Internet connections. CD and DVD-RW, Bluetooth, IR, USB, Firewire, all are potential entry ports for malware, and are exit points for sensitive data,” says Doty. “It's a bad day for any IT department if they end up on the front page with a data breach. To avoid that, visibility into all your IT issues becomes your best friend.”