In terms of cybersecurity, USB sticks fit the profile of the perfect offender and have fallen from grace in many companies. However, getting rid of them entirely means the only channel for exchanging documents will be through the company’s IT network. With this approach, information is stored on an internal network or in the cloud and does not get passed from one workstation to another on any physical device. This might be reassuring, but the danger just takes on another form: if everything happens online, a hacker doesn’t even need to leave his home to attack. With a closed network requiring physical hardware, hackers are at least forced to move. So, what should be the policy concerning USB sticks?
The USB stick: a hotbed of computer viruses
Unfortunately, USB sticks are still one of the main sources of computer viruses, despite regular campaigns reminding users of basic protection rules. Honeywell's latest report provides an overview that would frighten any cybersecurity expert: it is thought that 40% of USB sticks contain at least one risky file and 26% of these threats could lead to operational problems.
40% of USB sticks contain at least one risky file and 26% of these threats could lead to operational problems
While the exchange of data in companies is crucial today, it is sometimes difficult to transfer documents. Given the singularities of every company, with their many departments scattered across different locations, and fragmented networks to which some workstations aren’t always connected, as well as internal reluctance to use the cloud; USB sticks can still be useful. The other option would entail opening networks. However, even if firewalls are multiplied and defensive protocols stepped up, this would still represent a risk. In certain restricted environments, such as the military or industrial field for example, the network must remain completely isolated.
Faced with such a risky tool, effectively a hotbed of computer viruses, we can finally understand why IBM made the decision - be it a controversial one - to ban the use of USB sticks. In France, the National Assembly is also taking action to raise awareness of digital hygiene with the same aim of banning the use of USB sticks given to deputies during meetings. Is such a ban viable? Useful even? Under what conditions can we continue to use USB sticks with peace of mind?
When control goes hand in hand with shadow IT
A whole fleet of computers simply cannot be replaced by workstations without USB ports with a simple click of the fingers. So, should employees be searched at the entrance? Should chewing gum be stuck into USB ports? Computer towers put under lock and key? "No one can control all the USB drives in a company, not unless they block or monitor every device in its network of computers," said Marco Genovese, Stormshield's Network Security Product Manager. We can’t deny man’s basic way of thinking: if the alternative method becomes too restrictive, employees will soon revert back to the simplest option, whether authorised to do so or not. As a result, employees will use devices without the IT department’s knowledge, thus awakening the infamous shadow IT plague. Some companies work entirely in the cloud, but this means they are completely dependent on their network connection. Is this really a solution?
Could we use USB keys to detect cyberattacks?
For Adrien Brochot, Endpoint Security Product Leader at Stormshield, banning USB sticks is not a good idea. In addition to missing out on a convenient way of exchanging data in companies with segmented networks, "USB sticks can also function as an alert system". When a monitoring software program detects that a drive is no longer reliable, it serves as an alert of a potential cyberattack in progress.
In addition, setting up a generalised network can also allow cyberattacks to spread faster within a company once the first line of defence is breached. It is difficult to avoid USB sticks in companies despite the related security problems, and it’s too risky to switch to an all-network approach despite the appeal of ease. But what if we didn’t have to choose? What if we could find the right protection tools for both devices and networks?
Using keys to combat human error
The biggest risk comes primarily from users. If a USB stick stays inside the same network of computers, all is well. However, this is rarely the case. It might seem insignificant, but an employee who transfers photos from his home computer onto a USB stick to then show colleagues at work can be very dangerous. The danger is that the device becomes infected from an external PC with inadequate defences: in general, viruses attack computers with the least protection. The infamous Stuxnet virus that infiltrated an Iranian nuclear power plant in 2010 originated from a USB stick used by one of the engineers on his home computer.
In such situations, the countermove consists in using USB sticks and having a software program scan to track the movements of a stick within a fleet of computers. The approach is the same if a user deliberately inserts an infected stick. The stick is first inserted into an antivirus terminal, completely separate from any computer, which runs full analyses. This in turn generates a notion of trust. Once the stick has been scanned by the antivirus terminal, it can be used inside the computer network and the user can check that no files have been modified externally. However, as soon as data is transferred from a computer that does not have the tracking software installed, the trust is broken and the stick must be reanalysed by the antivirus terminal. The tracking software can easily be installed on a personal computer, so the approach is not as restrictive as it may appear.
The role of behavioural analysis
The Stormshield Endpoint Security solution is another form of defence for user terminals. Designed to detect any attempt to take advantage of vulnerabilities and using resource control rules, it is able to block processes whose behaviour is malicious or altered by an attacker. If an infected USB stick enters the computer network, the erratic behaviour of the software that ensues is immediately identified. This protection technique, known as a Host Intrusion Prevention System, or HIPS, is able to block the attack.
However, it still needs some fine-tuning. HIPS sometimes have trouble blocking malicious activity when it consists of a succession of multiple actions that do not appear malicious individually. Endpoint Detection and Response (EDR) technology can extend and refine the detection of these cyberattacks. In the future, HIPS and EDR are likely to be used together and with enough protection of this type, there will be "no need to ban USB sticks," concludes Genovese. "IBM's idea of banning USB drives was primarily driven by concerns for their reputation, rather than cybersecurity. Can you imagine the damage that could be done if someone found a USB stick containing sensitive data from a company whose business is cybersecurity?"
Many thanks to Stormshield's Endpoint Security Product Leader, Adrien Brochot, and Network Security Product Manager, Marco Genovese, for their invaluable help in writing this article, in collaboration with Usbek & Rica.