You're walking to your car and you find a USB in the parking lot next to your car. There's also a couple keys attached. Would you take the bait? Would the Good Samaritan come out in you? Or are you just a curious person? Could you resist the temptation to plug it into your computer at work or home? If it was named "resume", would you be tempted to open it to see who the owner is? Whoever it belongs to will be needing those keys. What would you do?
USB Drop Experiment
Consider the many forms of cyber-attacks. Cyber-criminals are getting creative and are always thinking of the easiest way in. Humans can be both the strongest and the weakest link in security. In 2016, researchers from Black Hat performed an interesting experiment. They dropped nearly 300 flash drive sticks on the University of Illinois Urbana-Champaign campus. The results were very interesting. 98% of the USB sticks were picked up. 45% of the USB sticks were picked up and then the individuals who picked them up also clicked on the files they found inside. Some of the USB drops included keys attached to them. Many were labeled "confidential", "exams", and etc. Once inserted, the file name "Resumes" were the highest opened.
What's at Risk?
There's several forms of attacks that could happen as a result of plugging in an unknown USB (Universal Serial Bus). They could have viruses, malware, or spyware installed. Besides malicious code, they can be part of a social engineering attempt. For example, the employee who inserts the flash drive is led to a phishing site. From there, the hacker attempts to trick the user into entering in log in credentials. Another form of attack is human interface device spoofing. The device appears to be a USB, but it will fool the computer into thinking a keyboard is attached and injects keystrokes to command the computer to give remote access to a hacker.
The Best Defense
The number one thing that your company can do to prevent falling victim to an USB drop attack is to provide security awareness training to your employees. Implement policies that restrict outside flash drives used with company devices. Consider the ramifications of if an employee leaves your company and still has a company owned USB. Also, what happens if one of your employees were to lose a company owned USB? Set policies that enforce the practice of encrypting all sensitive information. In addition, enforce policies that restrict personal files being on the same USB that company files are on. Visit our Corporate page to learn more about our IT procedures gap analysis to update IT policies, or to learn more about our security awareness trainings, visit our Cybersecurity Training page.
Check out our other blogs on Physical Security:
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.