Every so often we’ll hear about a variation of a USB attack performed on some business. Seemingly innocent interactions, like printing a visitor’s resume, can be potentially devastating for a company. The challenge for business owners, is that these type of attacks are more about social engineering experiments than anything else. Of course there are ways to minimize exposure from a technology perspective, but to really minimize the risk of an attack like this, you’ll need to understand how it works, and share that knowledge with your staff. Let’s examine some common scenarios for this attack.
The game of lost and found
This game is played to take advantage of our human curiosity. Let’s imagine you’ve just parked your car in the parking lot and are making your way into the office. You happen to look down and spot a USB stick. Maybe there’s even a note on it that says “confidential” or “employee compensation plans”, something meant to build up your curiosity. You take the stick into the office and plug it in to see what is so secret. At this point, an automated executable runs without you knowing it, and your machine is infected. You’ll most likely have no idea it’s even happened, but an attacker has just gained access to your system, and is starting to exploit everything they can on your network.
Another variation of this attack would be finding a USB stick inside the office, potentially in a shared restroom, or hallway. The stick may even be in an envelope market private, or “for (insert your CEO’s name here) only”. Again the goal here is to make the stick a mystery that the unknowing victim has to try and solve!
Can you do me a favor please?
This game is also a USB attack, but it plays on an entirely different part of our human nature. Here’s the scenario: A person comes into your office and approaches the receptionist. They have a look of worry on their face and have coffee spilled on them and the papers they are holding. They say they have an interview with John Smith from HR and they have just spilled coffee all over themselves and their resume. They usually try and look as pathetic as possible to make the receptionist feel bad for them. Adding to the awkwardness, your receptionists knows John Smith is on vacation this week. She lets the person know and of course they respond with a look of panic, they say something like “I don’t know how I messed this up, this is so embarrassing”. Then they ask for a favor, they might say “Can you just pretend I only stopped by to leave a copy of my resume, it would really help me avoid some more embarrassment!”, “I have a digital copy on my USB stick, if you could print it for me that would be such a big help. Thank you so much!” Your receptionist, being the good person they are, helps. And you guessed it, you’re compromised.
The trick here is that the person coming in already knew that John was going to be out of town. They learned this fact by either strategically bumping into John at a location he frequents, of by follow John’s social profiles. Everything about the encounter was planned out well before they walked through the door. Your receptionist was purposely led down a path to create feelings of sympathy and empathy so they would be inclined to help. This scenario can also be performed as a sales person who mixed up a presentation date, or any other meeting specifically scheduled with a person that is most likely out of town.
How to minimize exposure
The common thread with this style of attack is that they try and take advantage of different human emotions in an effort to get their USB devices plugged in to your network. But there are ways to minimize the risk of this type of attack; through technology, policy and processes.
Starting with technology: If you’re in a business that can get away with this, or in a business that stores any sensitive information like patient data or financial data, consider locking down the devices that have access to your network. Either disable USB ports completely, or use special software that only allows certain devices to connect to USB ports. This does not work for all businesses, but if it can for you, it is one of the safest methods.
Create clear usage policies: You’ll need to make it clear to the organization, through policies and education, that any USB device found or brought in must never be plugged in to a computer on the network. Making this policy mandatory, and making any violation grounds for potential termination, will help to stress the seriousness for your employees. If your teams are familiar with the policies, and they know you are serious about enforcing them, you will be less likely to have people so eager to plug in unknown devices into the network. At a bare minimum this tactic should be employed for every company.
Create processes for proper handling of USB devices: Sometimes, all that your employees need, is a proper method to handle situations like this. It helps tremendously, just creating a process that outlines what to do when you find a USB device, or what do when someone asks you to plug an unfamiliar device into the network. If your teams are prepared on how to respond they are less likely to make a poor decision on the spot. You could even go as far as having your IT department setup a completely isolated machine (off your network) that users are allowed to plug devices into, and even print if necessary. Your IT department should regularly monitor this machine to find any hints of possible infections so you can trace back to the device that may have caused it. But being isolated from your network will prevent any of your data from being at risk. The key here is to let your employees know about the possible situations, and then give them a secure method for handling them.
Ultimately, having open conversations with everyone in the organization is a great approach. In most cases attacks like this can be easily avoided by just informing everyone about how they work, and showing them acceptable ways to handle situations if they come up. Using technology to further protect your organization is a great idea, but not all companies have the option of locking everything down. The best protection for your business will most likely be a combination of the items above that work for you.