Have you ever had one of those days; starting with burnt toast in the morning or no milk in the fridge for your coffee and then you get to the office or your client’s office on the day of the important meeting and you realise that your USB drive has decided not to accompany you……. The panic immediately sets in; where is it? When did I last have it? Where have I been? How could I lose it? Was it encrypted?
Losing your trusty USB flash drive……. Is it merely an inconvenience? Or could it be worse? Or much, much worse? Well, that would be determined by a number of factors.
So, what are we talking about here? Wikipedia states that flash drives use little power, have no fragile moving parts and for most capacities are small and light. Data stored on flash drives is impervious to mechanical shock, magnetic fields, scratches and dust. These properties make them suitable for transporting data from place to place and keeping the data readily at hand. However, it may not just be the trusty USB drive that you use for portable storage / removable media and it could include any of the following:
- Optical discs
- USB flash drives
- Memory cards
- External hard drives
- Cameras
- Music players (MP4 etc)
- Smart Phones
You can currently purchase a 1TB USB Flash drive from Amazon (also available at other retailers….) for under £20. Sounds fantastic doesn’t it? Storage wise what does this £20 get us?
That’s a huge amount of data; it could be a lifetime of photographs or an entire movie collection. If this was your own data then it would be very inconvenient and potentially very upsetting if the data had not been backed up or indeed if there was something on your drive that you wouldn’t want in the public domain; the photos of your 3rd birthday party or perhaps the morning after the night before your 21st.
A recent study in the US detailed that an alarming percentage of companies do not consider protection of data on a USB drive to be a high priority. In fact, it went on to show that less than one-third of organisations believe they have adequate policies to prevent USB misuse. This is strange when you consider that nearly half of large organisations have lost sensitive or confidential information on USB drives in the past 24 months and that this number is steadily climbing. We aren’t talking about the odd file here and there; on average 12,000 customer records are lost per organisation due to lost or missing USB drives.
Of course, not everybody who finds a USB drive is a criminal or has nefarious intentions, but the loss of your flash drive is not exactly like losing your car keys. keys can be replaced; albeit the modern car key is a lot more complex that the average house key, but a lost, unencrypted USB drive can have immediate and irreversible consequences.
As we are all well aware and too many of us have personal experience of; identity-theft is a multi-million dollar business and is growing at an alarming rate. Trying to keep up with this are the commercial Cyber Security industry and the National Cyber Security Centre (NCSC).
In our nearly always-connected world and with the advent of the Internet of Things (IOT), we are bombarded with information about anti-virus software, firewalls, routers and password policies etc etc in order to protect our private information on our own personal computers. But when we’re not dealing with our own information, we are sometimes guilty of not applying the same methodology to prevent disastrous consequences; despite the corporate direction and policy that is there to protect against that eventuality.
Taking things one step further and that USB flash drive that has decided to detach itself from you; what if it contained a quantity of personal data? With the new General Data Protection Regulation (GDPR) shortly coming into effect to supersede the Data Protection Act (DPA), we all need to be aware of what impact this can have on the organisation that we work for, their employees and in this case, the subjects of the data contained on the misplaced USB flash drive.
With the advent of the GDPR, the seriousness of data loss, breach, access, alteration and destruction could result in serious financial consequences to an organisation.
Under the GDPR, a breach of security which requires notification to the supervisory authority is classed as:
“Any breach which is likely to have a significant detrimental effect on individuals which could lead to: discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage”.
The impact on an organization of such a loss can be potentially catastrophic with significant fines of up to €20million Euros or up to 4per cent of an organisations global turnover.
Let’s now spin this issue on its head; if you found a lost USB drive what would you do? Would you take it home, plug it in and have a snoop around? What if you found something incriminating? Or someone’s full banking details? Perhaps the drive contained the details of one of your competitor’s next ‘big thing’. What if there was a possibility to make a lot of money if you sold it?
One thing we should know is that a USB drive found on the street is potentially a bad thing as well as the fact that it blatantly does not belong to you; if you found a Porsche key, would you try and open every Porsche you came across…no, of course you wouldn’t. So why pick up and open the USB drive?
Perhaps it was dropped intentionally…
As part of a security exercise a number of computer disks and USB drives were dropped in the car parks of both government departments and private companies. 60% of the people who picked them up plugged the devices into office computers. Furthermore, this number increased to near 90% if the drive or CD had an official logo on it. As one rather famous quote puts it:
“There’s no device known to mankind that will prevent people from being idiots.”
Which nicely brings us on to Baiting – a popular form of social engineering. Baiting the attacker uses physical media; for example; a disc, USB flash drive or other portable media and relies on the curiosity or greed of the victim. The attacker will leave media in a location frequented by many (bathroom, lift, pavement, car park, coffee shop, etc.) and as detailed above, will give it an official looking logo / label. The attacker then sits back and waits for the victim to use the device which is, of course, loaded with malware.
According to the NCSC:
“Removable media provides a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use”.
What is the risk?
- Loss of information: Removable media is by its nature removable and is getting smaller and capable of holding more and more data. The media can be easily lost or stolen which can result in the compromise of a large amount of private, sensitive or confidential information.
- Introduction of malware: By not controlling the use of removable media we will significantly increase the risk of introducing malware to our home computers and to corporate networks.
- Reputational damage: Either of the above events can lead to a level of reputational damage which the organisation may not be able to recover from.
- Financial damage: Fines of up to €20million Euros or up to 4per cent of an organisations global turnover for a loss of personal data.
How can these risks be managed?
- Limit the use of removable media. Both the amount of removable media and the number of individuals who require it for their role. After all it’s easier to look after one USB drive rather than 10 and it is far quicker to account for. Also lock down the ports / drives so that removable media will not run for anyone who does not have a business need for that type of access.
- Ensure that all removable media is scanned for malware automatically when it is introduced to any system. The removable media policy could also require that any media brought into the organisation (visitors, contractors etc.) is scanned for malicious content by a standalone machine before any data transfer takes place.
- Issue media to users. All removable media should be formally issued to individual users who will then be accountable for its use and safe keeping. The issued media could also be subject to periodic accounting checks. No unofficial media should be introduced to the organisation by employees.
- Encrypt information held on media. All information should be encrypted at rest on removable media. If this is not possible then more stringent accounting should be in place along with the appropriate physical protection of the media.
- Ensure that the reuse and disposal of removable media is corporately managed. Where removable media is to be reused or destroyed then appropriate steps should be taken to ensure that previously stored information will not be accessible. The processes will be dependent on the value of the information and the risks posed to it and could range from an overwriting process to the physical destruction of the media by an approved third party. For more information refer to NCSC’s Secure Sanitisation of storage media.
- Education. Ensure that all users are aware of their personal responsibilities for following the removable media security policy.
- Produce corporate removable media policies. Implement policies and solutions that are effective in controlling the use of removable media. Ensure that removable media is not the default method used to store or transfer information. Information should be stored on corporate systems and exchanged using appropriately protected mechanisms.
Learn more about how to protect your business from cyber-attack by downloading other blogs in this series from our website.
Home Office and Defence Intelligence trained, Wayne Gill GCGI A.Inst.ISP specialises in cyber security threats, countermeasures, security tools and technologies. He is a Senior Consultant at Arcanum IS Ltd, a specialist Cyber Security Consultancy working with Businesses, Government and Defence Industry.