In 2009, the Nantaz nuclear facility in Iran suffered a debilitating cyber attack on its systems, substantially damaging its equipment and delaying Iran’s entire nuclear programme. How was the attack perpetrated? By a worker inserting an infected USB stick into a system computer.
In 2008 the Pentagon suffered its most serious data breach when a worm was introduced to its systems via a portable flash drive, compromising the highest levels of US defence intelligence.
In 2011 a detective with Greater Manchester Police had a USB stick stolen from his home, which – unencrypted and with no password protection – contained information on over 1000 people involved in serious drug crime investigations, and other highly sensitive data on police officers and their operations.
And yet… how many of us have plugged our smartphone or iPod into a computer to charge, transferred files using a USB stick, or used an external hard drive to back up data?
We’re not doing this as cyber criminals intent on sabotage, but the truth is that even the most trustworthy of staff can unwittingly wreak extensive damage to an organisation’s systems and reputation through thoughtless use of removable media.
In addition to the other employee-related risks we’ve covered in our last few blogs, the risks posed by the use of removable media are huge.
What is removable media?
It’s not just the humble USB stick: removable media refers to anything that can be brought into an organisation and plugged into a computer: external hard drives, smartphones and tablets, iPods, Bluetooth devices, recordable CDs and DVDs, SD cards, even digital cameras, smart watches or an unassuming office printer.
And just what are the risks we’re talking about?
- • Loss of information: As discovered by the Manchester detective, removable media is very easily lost or stolen, compromising any information stored on it. Some media types will retain information even after you think you’ve deleted it, while others do not have long lifespans, meaning the media could ‘die’ on you, losing important data if it is not backed up elsewhere.
- • Introduction of malware: as seen at the Nantaz nuclear facility and by the Pentagon, removable media can, in one swift movement, introduce catastrophic malicious software to systems.
- • Reputational damage: The loss of media can result in significant reputational damage, even if there is no evidence of any specific data loss. Being careless with other peoples’ vital stats doesn’t make you look like the best guys to do business with.
So, we get the picture. But what can we do to reduce the risk of these things happening? In today’s digital world it would be impractical and draconian to ban the use of removable media altogether. Instead, the UK National Cyber Security Centre recommends the following:
- • Produce clear corporate policies to control the use of removable media. Promote a culture in which removable media isn’t the default mechanism for storing and transferring information, and push to store data instead on corporate systems and exchange it using appropriately protected mechanisms.
- • Limit the use of removable media to only what is absolutely central to supporting a business need. Limit it to the minimum media types and users needed. Ban the plugging in of personal items such as phones, tablets or smart devices, and deny access to media ports by default, only allowing access to approved users.
- • Scan all media for malware when it is introduced to any system. Ideally your policy should require that any media brought into the organisation is scanned for malicious content by a standalone machine before any data transfer takes place.
- • Issue approved removable media to individual users who will be accountable for its use and safe keeping. Users should never use unofficial media, such as USB sticks given away at conferences.
- • Encrypt the information held on removable media. If encryption is not employed then appropriate physical protection of the media is critical.
- • Manage the reuse and disposal of removable media, to ensure that previously stored information will not be accessible. This could range from overwriting the data to the physical destruction of the media by an approved third party.
- • Educate users and maintain awareness, ensuring that all users are aware of their personal responsibilities for following the removable media security policy.
So, no need to bin the USB sticks immediately, but let’s clamp down on one of the easiest ways to compromise your company systems - by removing the removable media risks.Back To Blog Page