TechGuard Blog

USB Drops: Would your Employees Take the Bait?

You're walking to your car and you find a USB in the parking lot next to your car. There's also a couple keys attached. Would you take the bait? Would the Good Samaritan come out in you? Or are you just a curious person?  Could you resist the temptation to plug it into your computer at work or home? If it was named "resume", would you be tempted to open it to see who the owner is? Whoever it belongs to will be needing those keys.  What would you do?

USB Drop Experiment

Consider the many forms of cyber-attacks. Cyber-criminals are getting creative and are always thinking of the easiest way in. Humans can be both the strongest and the weakest link in security. In 2016, researchers from Black Hat performed an interesting experiment. They dropped nearly 300 flash drive sticks on the University of Illinois Urbana-Champaign campus. The results were very interesting. 98% of the USB sticks were picked up. 45% of the USB sticks were picked up and then the individuals who picked them up also clicked on the files they found inside. Some of the USB drops included keys attached to them. Many were labeled "confidential", "exams", and etc. Once inserted, the file name "Resumes" were the highest opened.

What's at Risk?

There's several forms of attacks that could happen as a result of plugging in an unknown USB (Universal Serial Bus). They could have viruses, malware, or spyware installed. Besides malicious code, they can be part of a social engineering attempt. For example, the employee who inserts the flash drive is led to a phishing site. From there, the hacker attempts to trick the user into entering in log in credentials. Another form of attack is human interface device spoofing. The device appears to be a USB, but it will fool the computer into thinking a keyboard is attached and injects keystrokes to command the computer to give remote access to a hacker.

The Best Defense

The number one thing that your company can do to prevent falling victim to an USB drop attack is to provide security awareness training to your employees. Implement policies that restrict outside flash drives used with company devices. Consider the ramifications of if an employee leaves your company and still has a company owned USB. Also, what happens if one of your employees were to lose a company owned USB? Set policies that enforce the practice of encrypting all sensitive information. In addition, enforce policies that restrict personal files being on the same USB that company files are on. Visit our Corporate page to learn more about our IT procedures gap analysis to update IT policies, or to learn more about our security awareness trainings, visit our Cybersecurity Training page.


Check out our other blogs on Physical Security:

What is IT Security worth without Physical Security?                                Employees should Watch out for Tabnabbing

Your #1 Security Threat - Well-Intended Employees                                  Create a Top-Down Culture

The Threat Within                                                                                                 Social Engineering Takes on Many Shapes

Top 5 Security Awareness Training Topics                                                     Insider Threats are Weakening Your Physical Security

Poisoning the Water Cooler