Considering the potential harm that could come from plugging in a USB device, the
lack of controls and visibility of USB device usage present in most business networks is startling. Whether it is masquerading as a keyboard and typing in commands or pretending to be an Ethernet Adaptor and hijacking controls, USB devices do pose a massive threat to business.
There have been many high profile instances of USB device related breaches like the International space station and of course I couldn’t cover this topic without mentioning Stuxnet (the worm that is credited to be the cyber-kinetic weapon that used USBs to propagate onto “air-gapped" networks). Nowadays, with bans either being drafted or placed on certain worldwide brands USB device usage has started to become a compliance issue.
Now, you may think it’s fine we just won’t plug in devices that we aren’t sure of, but this article from Blackhat 2016 shows that people will plug in devices they find anywhere especially when found in car parks. The Blackhat article showed that 98% of USB drives found were picked up with 45% of devices then managing to phone home. Considering that they were more likely to open ones with keys attached and open files called resume it would be reasonable to assume that they are trying to get these devices back to the original owners.
One of the most shocking things for me in this report is finding out the timescale with more than 65% being opened in the first 12 hours and more than 80% in 35 hours.
User training is great but never a complete solution. Imagine a scenario where a "visitor" drops a device in the office? Implementing some technical controls covers the risk far more comprehensively.
Luckily, our partners SentinelOne included device control in both their Control and Complete licences. This means that any SentinelOne customer can benefit from policy-based control of all USB and Bluetooth devices and peripherals.
The management console allows for a quick and easy way to see and restrict the kinds of USB and Bluetooth devices being used. This can be as simple as limiting versions of Bluetooth or disabling it altogether in more secure environments. It could also be restricting USB devices by vendor and type of device or even limiting it to the serial ID of specific devices.