IX. Thou shalt never insert nor allow to be inserted, a USB memory stick that thy hath never had complete control of since it was removed from its packaging.

Commandment IX Thou shalt never insert nor allow to be inserted, a USB memory stick that thy hath never had complete control of since it was removed from its packaging.

Summary:

This is an easy commandment to follow, but there might be temptation to breach it for convenience. 

If you find a USB memory stick on the street or in a car park, bring it to a waste electrical goods recycling centre and dispose of it there. I was going to say place it in a bin, but that would not be good for the environment.

If anybody comes to you and wants you to plug in a USB memory stick into your desktop or laptop, just don’t! No matter what promises they make as to the security and cleanliness of their systems, you simply cannot trust the device.

It’s not really the data files on the USB memory stick that you are terribly worried about (although you should be concerned about macro viruses) but the other hidden nasties that could be lurking on it. You’re IT team might have disabled the “AutoRun” capability on your machine, but if the evil doers really want to get inside your network, they could implant a piece of evil code deep within the hardware of the USB stick that can infect files being copied to and from the USB memory stick

It’s not just USB memory sticks that you need to be careful of, but any USB connected device (e.g.- Mouse) that you just “happen” to discover lying on the ground of your company’s car park. They could all be loaded with nasty code that might spy on you and your company if they were connected.

The only USB devices you should allow to connect to your device are those which you have purchased new, from the reputable source and were still in their shrink wrapped packaging, when they came to you. Never let these out of your control, or to be connected to anybody else’s machine.

That’s all there is to it. I will continue below with some details on issues of USB device security concerns and workarounds to avoid the temptation to breach this. So if you are not interested in such particulars, just don’t allow any strange/unknown USB devices to be connected to your desktop/laptop.

Detail:

CDs, DVDs and Micro SD cards are bad too:

All sorts of removable media are a concern and thus has it always been so, since the dawn of the floppy disk. Viruses and Trojan Horses have been spreading for decades via removable media. We should therefore be as concerned about the provenance of any such media before we let it near our machines.

The concern with USB devices, is because there is an additional risk coming from the electronics on board the device itself. A DVD does not have any electronics on it.

A USB Memory stick is ideal for data theft:

The focus so far has been on the spreading of malware. However a big risk to a business of having unsecured USB ports on their machines is the theft of data. We are not just talking about some evil doer coming into your office and stealing the data. We are talking about those people that are working for you who have access to your company’s inner secrets and files. For example, you may have a facilities manager that is thinking about quitting, they may copy your entire customer database to a USB stick before they hand in their notice.

Obviously you need to enable your staff to access that which they need to do their job, but do they have access to data that they don’t need to have access to? In the example above a facilities manager has no need to access your customer database, so they should be prevented from accessing it.

You should apply, what is called, the rule of least privilege. Put simply, start from a point where nobody has access to anything (with the obvious exception of the trusted administrator account). Then grant appropriate access (read-only, read-write-update-delete) to the relevant sets of data as required.

If you need support in carrying out a review of your security set up, just contact us in L2 Cyber Security Solutions.

Needing to transfer large files from one person to another:

So a colleague needs to share a large file (e.g.- Presentation) that they have been working on for days and the file is too big to e-mail it to you. Well if they are a colleague then they should simply store the file on a network file share.

Of course they may have worked on this presentation on their own personal home PC, if they don’t have a company laptop. In this case I wouldn’t even trust the presentation as the home PC is a complete red flag. If your company expects employees to work on projects at home, they should either (a) provide them with a laptop full time or (b) have a pool of “loaner” laptops which the employees can borrow. These laptops should be configured to meet the company security standards and are only for use by the employee and not their family.

The person needing to transfer the files may be working for a different company (e.g.- a vendor or a solicitor). There are plenty of cloud based storage solutions available – Google Drive, SkyDrive, Box, iCloud and Dropbox to name but a few. They all come with a free offering which should be more than adequate for most needs. The files to be transferred can be uploaded to the cloud and then shared with the intended recipient. It might be a good idea to compress the files with a good password before uploading to give additional security.

You should disable all USB ports:

Disabling AutoRun may not be totally adequate to protecting your machine from an infection. You should ideally disable the USB ports in the hardware settings of your computer, however this would prevent you using a USB mouse and keyboard. 

You can get software that will effectively disable the USB ports for all devices other than a mouse, keyboard and a printer. This would be useful for preventing somebody copying lots of data from your network. However a committed hacker who wants to spy on your business can get a USB stick that will either emulate a keyboard or be connected in-line with your existing keyboard and then log all of the keystrokes you make, which would include your passwords.

A USB stick can destroy your hardware:

Some enterprising people have created a USB memory stick that will fry the electronics on the motherboard of a computer simply by inserting it into a port. While there is no apparent purpose, other than the wanton destruction of somebody’s desktop/laptop, it could be used as part of a campaign to disrupt somebody’s business during merger/acquisition discussions. 

Hosting a Conference event:

I attended a seminar where the CEO of the company sponsoring the whole event openly admitted that he lost a laptop at a previous seminar to malware after one of the other presenters inserted an infected USB stick into the CEO’s laptop to get his presentation.

If you are organising such an event, you should make sure all of the presentations come to you via the channels described in the transferring large files section above. It might also be an idea to have a backup laptop too.

Conclusion:

If you have any comments, suggestions or questions on the above, please leave a comment below.

Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.