As cloud storage has grown in popularity, the use of USB flash drives has declined in many settings. The decline in popularity of USB flash drives, however, hasn’t necessarily diminished their threat, as they are still a common tool in some settings.

“If you had asked me ten years ago if I thought USB flash drives would still be in widespread use, I probably would have laughed and said ‘no way’. But here we are,” says Don Foster, a cybersecurity expert in Des Plains, Illinois that specializes in industrial clients. USB flash drives still enjoy a following in industrial environments.

Foster explains that system reboots, or data stored on USB flash drives, are viewed as more secure because there is no connectivity involved. While USB flash drives can be handy for use on air-gapped systems, they are only as secure as the people who handle them.

“And, yes, it is true that they can be very secure, but only if you know with 100 percent certainty that the chain of custody for a USB flash drive hasn’t been compromised,” Foster comments.

Growing risk of USB flash drives

A report by Honeywell highlights the growing popularity – and risks associated with USB flash drive usage in some sectors.

Data from the 2021 Honeywell Industrial USB Threat Report has some surprising findings. Among them:

  • 37 percent of threats were specifically designed to utilize removable media, which almost doubled from 19 percent in the 2020 report. 
  • 79 percent of cyber threats originating from USB devices or removable media could lead to critical business disruption in the operational technology (OT) environment. At the same time, there was a 30 percent increase in the use of USB devices in production facilities last year, highlighting the growing dependence on removable media.

USB flash drives provide a sense of security and separation from connectivity. And studies have shown people are comfortable with the drives.

In fact, Foster points to a 2016 study at the University of Illinois that shows the conundrum created by dependence on USB flash drives, when researchers simulated a malware attack by leaving 300 flash drives at various places on campus.

“We find that the attack is effective with an estimated success rate of 45 – 98% and expeditious with the first drive connected in less than six minutes,” the study says. This points to the need for MSPs to coordinate with physical security staff.

“MSPs have a lot to look after, and they can’t be expected to look after the physical facility. That said, it would be extraordinarily easy for someone acting like a maintenance worker or faculty inspector to leave tainted drives in a critical facility. All it would take is one person to plug the wrong flash drive into the wrong device,” Foster advises. He adds what keeps him up at night, though aren’t the critical facilities.

“The physical security in, say, a nuclear site is usually pretty strong – it’s the weak link the supply chain, say a relatively low-security vendor, that I worry about,” Foster says.

What MSPs should do the to help ensure the security of USBs

To begin with, if applicable, an MSP should work with the physical security team to ensure the security of USB flash drives in use by the business. Security cameras, for example, should be in place and be able to access to areas where IT equipment is limited.

“It seems strange to have MSPs get involved in the work of what should be the responsibility of the security team, and we’re not saying that the MSP should also be the police, but simply open a line of communication with the security team,” Foster advises. “If the security team has seen someone potentially tampering with IT equipment, the MSP needs to know.” And in really small businesses that don’t have an internal security team, MSPs should take the lead in making sure the physical areas are secure from the use of un-approved USB flash drives.

The second action Foster recommends is using encrypted USB flash drives with Windows Bitlocker or Mac Native Encryption. This provides a layer of protection should a USB flash drive with sensitive data fall into the wrong hands. Some models have fingerprint authentication.

The third action is to educate employees never to plug in unknown USB flash drives.

“Cybersecurity is a game of odds – you are always trying to tilt the odds in your favor, and sometimes the simple, and inexpensive, action of educating people on the danger is enough. All it takes is one malware-laced USB flash drive to get through for the hackers to win, so if you educate about it and one employee decides to take the USB to IT before inserting it, that is a win,” Foster says.

Some companies also have a very stringent chain of command for flash drives, and an MSP may want to have their client institute a “flash drive library.”

“One manufacturing facility I work with in Chicago has employees `check out’ USB flash drives from the IT department just like they are checking out a library book, each USB flash drive is catalogued and scanned upon return and check-out,” Foster remarks.

The bottom line: MSPs have a lot to watch out for when it comes to cybersecurity and connectivity. It would be easy to ignore the lowly USB flash drive, but doing so can be dangerous.

Photo: Oleksandr_Delyk / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

One Comment

  1. Avatar

    Yes, personally I don’t like to insert the USB drive into my windows system without checking for malware by any antivirus.

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *