Everyone knows how commonplace USB flash drives are today, so it comes as no surprise that they’ve become a fixture in workplaces around the world. However, in the face of potential malware and other insider threats, such as data loss or tampering, it may be time for stricter policies on their usage. After all, removable thumb drives may have been responsible for malware as infamous as the Conficker and Stuxnet worms—and there are always newer, more dangerous threats evolving every day. This should be disturbing for a number of reasons. Not only do you have the aforementioned threat of all sorts of malware (which will inevitably lead to a loss of time, money, effort, etc.), but the company’s reputation is also at stake. A study done by the Ponemon Institute (http://www.darkreading.com/security/attacks-breaches/231901835/study-how-data-breaches-damage-brand-reputation.html) showed that a data breach can cause a brand’s value to plummet by 12 to 25 percent.
So how can you best protect your company from these USB-related nightmares? If your company has absolutely no need for USB flash drives in the workplace, then – of course – they can be banned entirely. In many situations, this isn’t very practical. Instead, try these options:
1. Disable autoplay/autorun for all USB and CD/DVD drives. This will prevent malicious programs from automatically executing – on your network.
2. Consider updating your software. A Microsoft blog post (http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx) states that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.” Why? Windows Vista and Windows 7 have features which provide more protection against autorun’s ability to spread malware.
3. Consider encrypting all company-owned flash drives.
4. Enforce (or develop) USB flash drive-related policies. Also consider mentioning the dangers of USB flash drives in company training. No matter how technology-savvy your employees may seem, no company is immune to human error. The Department of Homeland Security (http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx), for example, found that 60% of USB drives (deliberately planted in places like federal agency parking lots) were inserted into company computers after they were picked up by unsuspecting workers. This number skyrocketed to a whopping 90% when the USB drives had the Department of Homeland Security logo. Many times, your biggest weakness might not be a malicious insider, but an employee who simply doesn’t understand the potential security risks of their actions.
5. Lastly, give Data Loss Defender a try. This is a little-used tool in LogRhythm which can help you monitor and/or prevent the use of USB flash drives (as well as CD/DVD drives).
From Deployment Manager, select:
Tools —> Administration —> Data Loss Defender Policy Manager. From here, you can create a policy which can monitor or eject certain media.
To enable the policy, click on the System Monitor Agents tab, double-click on the agent, and select:
Endpoint Monitoring tab —> Data Loss Defender tab —> Enable Data Loss Defender
After restarting your agent, your policy will be enforced. You should start seeing logs which show the connecting of USB drives…
…and any data which may have been copied to the device:
If you’ve enabled the eject feature, you’ll also receive a confirmation of the ejection:
With these tools, as well as the help of policies and procedures which spell out the proper use of these devices, you’ll be able to take another step closer to a safer corporate network.