A receptionist is having a routine day. What could go wrong? In walks a job candidate. He says he has an interview but is caught in a dilemma. He spilled coffee on his resume and asks the receptionist to print a new one. He hands over his USB stick. The receptionist plugs it in, prints the resume, but doesn’t realize a virus was uploaded and soon will spread throughout the company’s network.
And as for the interview? It never existed. The cyberthief socially engineered the receptionist and pillaged the business.
This hypothetical scenario should concern owners and executives. It’s simple and effective, particularly when employees haven’t been trained or organizations fail to enforce policies.
Apricorn surveyed nearly 300 IT employees from different industries. The study found 90 percent of employees use USB sticks, and 90 percent believe device encryption should be required in work environments, but 60 percent use non-encrypted drives. The report reads that 64 percent of businesses have policies outlining USB stick use, but 64 percent of respondents said their employees use thumb drives without permission.
Schools are prime targets. “Graveyards” are likely to invade classrooms, where students and professors have access to computer workstations. Lost USB sticks rest on whiteboard ledges like tombstones. Hackers could place an infected drive among the clean ones, wait for an innocent bystander to plug it into a machine and take control of a campus’ network.
A former student of The College of Saint Rose in Albany, N.Y., used a malicious USB stick to cook the school’s circuitry and destroy thousands of dollars’ worth of computers. The perpetrator pled guilty and will spend time in prison, but that didn’t cushion the negative impact on its bottom line.
Researchers dropped more than 300 USB sticks around campus at the University of Illinois. Forty-eight percent of the devices were plugged into a computer.
It’s a conundrum for educators and businesses. USB sticks provide convenience for students and professionals. Prohibiting them from facilities seems unreasonable, but restrictions might reduce the odds of being attacked. Physically blocking ports on highly sensitive computers diminishes the threat of valuable information being hijacked, but it doesn’t guarantee safety.
A myriad of attacks leaves organizations vulnerable to threats that could strike their computers and networks. These methods include:
- USBdriveby: Provides covert installation of backdoors and overriding DNS settings on an unlocked OS X host via USB by emulating a USB keyboard and a mouse.
- USB Killer: Permanently destroys devices by inserting a USB device that triggers an electrical surcharge.
- Hidden Partition Patch: Researchers demonstrated how a USB flash drive could be reprogrammed to emulate a normal drive, creating a hidden partition that cannot be formatted, allowing for covert data exfiltration.
- Rubber Ducky: A commercial keystroke-injection-attack platform. It poses as a keyboard and injects a preloaded sequence once connected to a host computer.
Organizations can combat this issue with better user-awareness training. Apogee IT Services partners with KnowBe4 to test and educate users and keep them from becoming victimized by cybercriminals. Let us assist you in reducing the odds an employee will be spoofed by a predator.
To discuss security strategy, email Security Analyst Frank Verdecchia at firstname.lastname@example.org.