Cyber Security and External Storage Devices Dos and Don'ts

Hey, we’re talking about the risks of external storage devices!

It’s 2021, and there’s been a pandemic raging for more than a year. Many of us have shifted to working from home at least part time, while other business operations are limiting the number of customers they can serve at once. Everyone has felt the impacts in some way, and this has led to a drastic surge in technological — and especially security — needs over the last year. One of the many layers of a mature security program involves the use of external storage devices.

We all have USB sticks lying around at home. Our children’s’ schools likely include it as a requirement for middle-school-aged children each year on their school supply list. Plenty of those reading this have probably even used a USB drive at work. They’re fantastic little devices – cheap, usually fast (or fast enough), and provide a huge amount of digital storage in the palm of your hand, readily available for transferring files from home to school, or home to work, or work to home, etc.

But get ready for this! External storage devices are a huge security risk. Now, depending on your organization, maybe they’re an acceptable risk to allow. But if you’re storing or processing sensitive data, especially in a way that leaves you legally liable for the mishandling or spillage of that data, you will want to re-consider your risk appetite for USB devices. Let’s take a look at some of the ways infected external storage devices can cause huge trouble.

Major Examples of Infected External Storage Devices

Operation Buckshot Yankee

In 2008, the U.S. Department of Defense suffered what was, at the time, the most significant breach of U.S. military computers ever. The root cause? Something known as a “Parking Lot” attack (sometimes referred to as a “mailbox” attack). A USB device was discovered by an innocent employee in the parking lot (sometimes nefarious actors will mail these devices instead of leaving them in parking lots), and subsequently, the device was connected to a military work computer. This USB-based infection called Agent.BTZ is said to have allowed attackers to exfiltrate classified data to servers under foreign control. While we do not know what information was taken or who exactly facilitated the breach, we do know that one little flash drive caused a 14-month military recovery operation called “Buckshot Yankee.”

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” wrote William J. Lynn III, Deputy Secretary of Defense.

Fortunately, the military recovered, and this was merely a blip on the radar in the grand scheme of cyber “warfare” or cyber security. However, shortly after this incident, the DoD updated their policy to ban the use of removable USB devices except under extenuating circumstances with appropriate mitigating security controls in place.

The Stuxnet Worm

The next example is one of my favorites – it really served as my introduction to the world of malware and opened a lot of people’s eyes with respect to cyber weapons.

In 2010, Stuxnet was discovered at an Iranian nuclear site, Natanz. It deployed 4 separate zero-day attacks (an attack which exploits a vulnerability that was previously unknown and has no patch — yikes), and it even bridged an air-gap. An air-gap is a security control meant to physically isolate sensitive networks and equipment from less sensitive networks. Stuxnet was able to jump the air-gap because someone had left an infected USB drive nearby the Natanz facility, and employees of the facility wound up connecting this infected USB drive to the operational control network for Natanz.

Stuxnet was the very first malware to realize physical implications, as it is widely understood to have stymied Iran’s nuclear program by years.

“Stuxnet reportedly destroyed numerous centrifuges in Iran’s Natanz uranium enrichment facility by causing them to burn themselves out. Over time, other groups modified the virus to target facilities including water treatment plants, power plants, and gas lines.” — McAfee

All of this happened because they simply weren’t hardened against external USB devices. Stuxnet has since been eclipsed by other more sophisticated attacks, but at the time of its discovery, it was the single greatest cyber weapon the public had ever seen.

Malware: What is it, and why does it matter on a USB Drive?

The risk of infected USB drives isn’t just something for the military or large government agencies to be concerned about. There are numerous types of malware that might be staged on a seemingly innocuous USB drive. Let’s discuss some of the different malware out there and the capabilities or intentions of each.

To start, malware is short for malicious software. It’s a broad term that encompasses all kinds of different threats. Many people would reference a virus, but “virus” is really an antiquated term that has since been replaced by “malware” to more broadly describe the various threats encountered. I’m going to briefly describe a handful of different threats and some of the risks they present, not only to enterprise organizations but to consumers as well.

Ransomware on External Storage Devices

Ransomware is software that encrypts all of a system’s files, making them unreadable without the decryption key. After infecting a device, the purpose is to then ransom access to the files back to the system owner (e.g., “If you want your files back, pay me $70,000). Ransomware has been in the news a fair bit the last couple of years, hitting hospitals, cities, schools, etc. However, ransomware can literally hit anyone. You may wake up tomorrow after being infected with ransomware and learn that all your files are no longer readable.

Keyloggers on External Storage Devices

Keyloggers are typically packaged with other types of malware, but at their core, keyloggers are like little computer spies. They are usually malicious, although there are some limited, very specific, legitimate use-cases for them. A keylogger records all of your keystrokes and sends those logs to the attacker so that they can steal your credentials. Keyloggers may also take screenshots of what’s on your screen at the time of the recorded keystrokes to provide context. From a personal standpoint, this is especially concerning for those of us who use online banking. This is an extremely common attack vector, and many people have suffered massive financial losses as a result. That’s not to say you cannot recover from this type of attack, but there’s a lot of red tape to cut through with the banks before you’ll see your money again. The United States Secret Service has even had to investigate such illicit activity at hotel business centers.

Remote Access Trojans (or Remote Access Tools) – RATs!

Remote access is not in and of itself a bad thing. I have used remote access plenty of times to resolve problems for clients. My staff use it on a daily basis for troubleshooting and diagnostics, problem resolution, etc. The problem arises when remote access is unintended and when it is, of course, malicious.

A simple Trojan is a piece of malware that is designed to look like a legitimate piece of software. This is where someone has disguised their malware (e.g., “Evilprogram.exe”) as an existing program (e.g., “InternetExplorer.exe”) that would catch you off guard and execute the malware. With a remote access trojan (RAT), it’s the same concept, but it also installs remote access capability allowing for the attacker to gain remote control of the victim’s device.

In the context of social engineering, some threat actors will even claim to be from technical support and talk the victim through installing a legitimate remote access tool such as Teamviewer or LogMeIn, which they then leverage for their malicious purposes. These are technically two different attacks, but again, depending on context and who you ask, they could both be referred to as a RAT.

It should be abundantly clear that these examples of malware could be devastating to any organization, or to an individual. The reason we are highlighting these types of malware is because it is exceptionally easy to transmit malware between multiple devices using a USB drive.

Insider Threats: Do You Want Edward Snowden to Work for You?

There’s another threat with USB devices that we haven’t talked about yet: Leaks! Does everyone remember the Edward Snowden versus NSA episode back in 2013? Regardless of your personal feelings about whether those leaks were good or bad, or whether Snowden is a traitor or a hero, the reality for cyber security professionals is that we are trained to prevent incidents like the Snowden leaks from happening. Edward Snowden used a USB drive to exfiltrate critical and classified data from an otherwise secure facility. Again, regardless of any personal opinions surrounding this incident, every security professional should be terrified of having someone internal to their organization leak information with a USB drive.

Risk Management: Can we effectively manage the risk of external storage?

So now that we understand some of the risks associated with USB drives, what can we do with this information? Obviously, we want to address and mitigate risk. Of course, how much risk you’re willing to accept is dependent on your organization’s risk appetite, and ultimately needs to be decided by senior management. It also depends on the regulatory requirements for your organization.

One option is simple acceptance of all associated risks. If you and your organization’s leadership read this post and decide that you don’t need to be concerned with external storage devices, then accept the risk and do nothing. But when you are compromised by an infected USB, think back on the consideration you gave to this risk and the decision you made to accept said risk. At Beyond20, for example, external storage devices are disallowed for security reasons. The reality of security is that you must find an appropriate balance between safeguards and usability.

There may be some extenuating circumstance that just absolutely requires the use of a USB drive. In that case, how can you mitigate the risks associated and still allow the use of a USB?

The answer is twofold. You need to deploy a strong combination of policy and procedural controls, as well as strong technical controls. What I mean is this: When considering risk to an organization, you always have to consider the CIA Triad (confidentiality, integrity, availability) but you also have to consider the cost to your organization if an illicit event was successful and compare it to the cost of mitigating that risk. Part of risk mitigation is simply policy. If your organization fires every employee who violates policy and promotes every employee who adheres to policy, technical controls aren’t as necessary because issues are addressed by established policies surrounding termination and violation of protocol, right? Well, nobody wants to have to fire every employee who violates any little rule. Instead, a good, strong policy governing the use of USB drives, combined with strong technical controls will generally cover what an organization needs to maximize security for its workforce.

External Storage Device Security Policy – Manage your risk through corporate policies.

To reiterate, let’s take a look at some NIST Special Publications. NIST SP 800-53R5 is the meat of the Risk Management Framework. (Fun fact: Beyond20 has directly assisted the DoD in their implementation of the RMF lifecycle.) NIST identifies numerous control families and controls for ease of organization. The specific control family you should review here is Access Control, specifically AC-20 Use of External Systems. AC-20(2) references Portable Storage Devices – Restricted Use, and AC-20(3) references Non-organizationally owned systems.

But policy is only half of the battle! We also need to implement strong technical controls as well. The technical controls need to compliment your policy statements and hopefully match as closely to policy as you can implement (reasonably adjusting for technical limitations depending on your environment).

Technical Controls – There’s a plethora of control mechanisms to use! Which one is right?

One method to address USB drives is with an Anti-virus kiosk station. This is a stand-alone workstation that is hardened, has a solid, up-to-date anti-virus solution installed, and is used to pre-scan USB devices before users are permitted to transfer files from the USB to their individual workstations. There are also some hybrid solutions that allow you to connect this device to your network and only permit file transfer from that device once the USB has been deemed clean, but blocking file transfer prior to the scan result.

Another method is through good old Windows Group Policy. You can completely block all removable media, or you can limit it to certain users (such as IT). You can also use newer Microsoft-developed technology such as Configuration Manager or InTune to deploy workstation policies in lieu of group policy, or in addition to group policy.

Then there’s the nuclear option, depending on the hardware you’re using and how granular you really need to be within your organization. You can disable USB ports in the system bios completely. This option is a bit extreme and doesn’t make a lot of sense given that modern-day keyboards and mice are all USB devices, but the option does exist. As I mentioned earlier, the real key is to find the appropriate balance between your organization’s risk appetite and usability.

User Training for External Storage Device Security: “Employees, DON’T DO THAT THING!”

The final suggestion I have for anyone who is concerned with external storage device security is to implement a user-awareness or user training campaign. Awareness training doesn’t tackle everything (if it did security professionals would be out of jobs everywhere, and the IT landscape would look a whole lot different). However, it does help to improve an organization’s overall security posture, especially when discussing a specific risk such as external storage devices. A training session for your employees to learn about the risks associated with USB drives could be highly useful. Everyone thinks “it can’t happen here” or “it can’t happen to us” until it happens, right? A training session where a user plugs in a USB device that flashes a nice big red warning message with sirens blaring out of their computer speakers might just help send the message home and reinforce your company policies and technical controls.

We can help with that.

Beyond20 has extensive experience supporting corporate, municipal, and federal objectives in Risk Management, and we also offer a myriad of training options for courses such as Security+ and CISSP certification. Our team is full of capable consultants who can assist in answering any questions your organization might have regarding cyber security, as well as any concerns about how to map your security practices to ITIL. Whether you’d like our help with your cyber security program, or you think you’ve got it covered, we wish you the utmost protection at your organization.