Removable Media: Understanding and Managing the Risks
Removable media has been a basic component of modern day computing for decades. However, as with the general increase in cyber security threats, removable media has also become a tool for cyber criminals to carry out their attacks.
1. What is Removable media?
Removable media is all the physical and portable devices that can be used to store/carry/transfer electronic information and data by being plugged into another device. One of the earliest forms of removable media was floppy disks, which are no longer in use.
Today, removable media in everyday use include:
• USB sticks (flash drives, thumb drives)
• CDs and DVDs
• Memory cards and SD cards
• External hard drives
Smartphones and digital cameras can also be considered removable media as they can be plugged into a computer to transfer data.
Removable media devices can be used to store both data files (text documents, spreadsheets, presentations, videos, music, photos, etc.) and programs that can run off of the removable media. Some users also use such media for backup.
While removable media has some positive use cases, it can also pose a significant cyber threat to an organization. Understanding the potential risks of removable media and how to mitigate these risks should be an essential component of any organization’s cyber security strategy.
2. The Threats of Removable Media
Some operating systems have “autorun” capabilities for removable media. While autorun can be helpful in some instances, such as automatically installing programs from a CD, it can also pose the following threats:
• Accidental loss of company data
• Introduction of malware to company computers
• Deliberate theft of user credentials
• Theft of company data
• Computer destruction
i. Accidental loss
The small size and portability of most removable media are its most appreciated features. However, this advantage also becomes a threat in itself because you are more likely to lose a flash disk than an entire laptop or computer. A flash drive containing sensitive company data copied onto it, such as payroll information, medical records, and so on, falling into the wrong hands can cause a company severe reputational or even financial loss resulting from lawsuits.
ii. Malware
Accidental malware infection
You may have a flash disk or CD and wish to transfer data from your home computer to your work computer. Unknown to you, this flash disk may contain a virus or worm, and by plugging it into your work computer to copy files across, you will be unknowingly transferring malware to your work computer. You may go a step further to share these files with your team and unknowingly infect their computers with malware too.
Malware planted by a cyber attacker
Attackers often use memory sticks and CDs to infect computer systems through baiting. Baiting is a social engineering technique used by cyber criminals where they leave an infected device (often a memory stick) in a busy, public area for someone to find. They prey on the human curiosity that somebody will pick the flash disk and plug it into their device to check its contents or keep it for their own use.
This is how it works.
Step 1: Social engineering & Malware delivery
One of the most common uses of a weaponized USB is malware delivery.
A cyber attacker can intentionally drop a flash disk labeled with “Staff salaries” in a parking lot or busy supermarket. He/she may even handed out as a freebie in an outdoor sporting event, for example. Once the USB disk is inserted into a computer or device, the cybercriminal will have set it to automatically execute or install malicious programs when it is inserted into a computer or device. Or, it may require you to click on a file that appears safe, such as a spreadsheet or Word document with an enticing name like “Staff salaries”. As soon as you click on this file to open it, it will install the malware on your computer.
It allows a cyber attacker to effectively bypass the perimeter security solutions deployed by the organization.
Step 2: Gain access to company network
Once the cyber attacker has successfully installed a malicious program on your device, they have gained unauthorized access to your computer and, in extension, your company network. This tunnel (reverse shell) may bypass your organization’s basic firewall if it is set to allow all outbound traffic. It can open up an outbound network connection to a computer controlled by the cybercriminal. The attacker will then have full command line access to your compromised machine.
Malware affecting one computer can have severe consequences in an organization. It can affect many machines connected to the same network and even cross borders in global operations.
iii. Credential theft
Another risk posed by removable media is that they can be used by attackers to install keyloggers once they’re inserted into your computer or device.
By installing a keylogger on your computer, the USB can monitor the keystrokes you enter. This data can be sent out over the network as described in the previous section (malware) or, if the attacker is somebody with access to your physical workstation, he/she can plan to retrieve this later to view the data captured by the keylogger.
iv. Send company data out of the organization
A malicious USB can be used to capture and send sensitive company information or data outside the organization in the case where it is physically retrieved by the attacker. Because many organizations are heavily reliant on network-level cybersecurity solutions, this can make an attack more likely to succeed and harder to detect.
v. Computer destruction
An attacker may also just be interested in destroying computers. A cyber criminal can modify a USB to destroy a computer. USBs are designed to have two different input channels: one for power and one for data flow. Ideally, these should be designed so that there is no accidental crossover between the channels.
Using a soldering iron and some knowledge of USB internals, an attacker can set a USB to collect power over the power connection, then discharge it over the data connection. Plugging this USB into a computer would likely destroy the computer.
3. Recommended protection from Removable Media Risks
Here are some practical ways to address the risks presented by removable media.
a. Ban/ Disable use of removable media on all computers
The best way to protect against this threat is to simply develop and implement policies disallowing the use of removable media on all corporate computers/devices. Where possible, corporate computers can be configured not to run USBs, external drives, CDs or DVDs. In critical systems, you may even consider physically removing or blocking disk drives or USB ports. This will prevent an unknown person who gains unauthorized access to your computer from copying sensitive data on such media and leaving with it.
Large corporates such as IBM banned the use of removable media.
However, we appreciate that this may not be an easy ask. If you’re not ready to ban the use of removable media in your environment, here are alternative ways to mitigate the dangers of removable media in your organization.
b. Cyber security awareness training
One of the most effective ways to address the risk of removable media is to conduct cybersecurity awareness training for all staff. Educate employees on the dangers of removable media and what measures they can take to avoid becoming victims.
Do not trust random USB or other drives they find lying around – even if they’re handed to you as freebies.
If an employee must plug in an untrusted USB disk into their computer, the IT function should provide a process for testing the USB for malicious functionality in an isolated environment. Users should only plug in these devices to their computers after being deemed safe through this inspection process.
Cyber security awareness training will significantly reduce the risk to the organization.
Contact us to schedule cyber security awareness training for your organization. We will cover a range of topics, beyond removable storage risks.
c. Password protect removable media or Encrypt its contents
To mitigate the risk of theft or accidental loss of removable storage or media, check whether your device has the option of applying a password. If so, set a unique and strong password to ensure that even if the media falls into the wrong person’s hands, they will not be able to read its contents.
Alternatively, you may also encrypt the data stored in the removable media as an extra layer of protection.
d. Encourage use of cloud storage to share files
It is quite common for employees to need to share files with colleagues or even third-parties like auditors, clients, business partners and/or software vendors.
Discourage the use of removable media to store and share files. Instead, encourage the use of cloud storage services (MailSafi Collaboration , Microsoft OneDrive, GoogleDrive) to share files within the organization and even with external parties. Where cloud storage is not available, you may consider some files as attachments – although we do not encourage this as a long-term solution as it will likely mean you may have to keep increasing your users’ email storage space in the long run, which will likely come at an extra cost. A 2MB file will only occupy this 2MB when stored on cloud storage for others to access. However, sending a 2MB file to 10 other colleagues will occupy 20MB mailbox storage space.
For purposes of backup, use more modern methods to backup your organizational data, such as Cloud Backup (Backup as a Service) or Disaster Recovery as a Service. Take note that Cloud storage is not cloud backup. The two have different use cases.
e. Safely store/lock away any removable media when not in use
Get into the habit of safely storing away or locking away any removable media that is not in use to minimize the risk that it will fall into the wrong hands and result in the risks discussed above.
f. Disable autorun on all computers
Disable autorun for all removable media on all organizational computers and devices. Where necessary for installing programs via removable media, the staff can be guided on how to run programs on removable media manually – by opening the folders and clicking on the program icon to execute.
g. Install endpoint security on all computers and devices
Install endpoint security – antivirus, antimalware - on each device (computer, laptop, tablet, server) on your organization network. Ensure this software is regularly updated to protect against new or zero-day attacks.
h. Scan all removable media plugged into your device
If you must use removable media on your device, scan it with antivirus or antimalware before you view its contents.
i. Gateway security
Some firewalls such as Sophos Firewalls are designed to do deep packet inspection of outbound traffic as well. They will allow you to only connect to the standard ports for browsing, email server, private IP, but block all others. Get in touch with us for your Sophos Firewall device or Sophos license.