USB Security Risks: When Flash Drives Become Dangerous

Flash drive. Thumb drive. Jump drive. USB stick. Whatever you call it, most of us have at least one of these ubiquitous, simple devices. The very first USB drive—called the DiskOnKey—held a whopping 8MB of data. Today, they not only hold countless gigabytes, but they may also hold numerous USB security risks; so can charging ports, memory sticks and other common devices.

Beware the USB

Malware or a virus can be loaded into a flash drive, which can then automatically infect a machine when the user inserts the stick into it. Back in 2014 some security researchers showed how easy this was; and things haven’t changed much. Researchers have shown how malware from a USB stick can take control of a computer, upload files, track browser history, infect software and even provide a hacker remote keyboard control. In many cases the problems can’t be patched, infected files can’t be cleaned, and the infection almost impossible to detect.

Shared Data, Lost Data

Flash drives are convenient, but their size also makes them USB security risks. Recently, IBM banned workers from using them for work, along with any removable memory device. As reported by the BBC, IBM cited the possibility of “financial and reputational” damage if staff lost or misused the devices.

IBM is being cautious, and for good reason. A few months ago, the University of Toledo made news when a faculty member lost a flash drive filled with social security numbers (as reported by the Toledo Blade). In 2017, an insurance underwriter paid a $2.2 million HIPAA breach settlement after a USB drive containing sensitive health information of more than 2,200 people was stolen from its IT department.

Even deleting the information from a USB drive isn’t always effective for USB security, as the devices can leave traces of files behind, or even full copies, which an expert hacker can recover.

Charging Malware

Using a flash drive isn’t the only USB security risk. Many modern laptops can now be charged through the USB port, a tremendous convenience but one that can leave a machine open for attack. Much like thumb drives, these small USB chargers are borrowed and shared, and lost and replaced. Like USB chargers, they can also be booby trapped to inject malware, root kits and other malicious infections into a computer, allowing the hacker access to files and data.

Getting the Drop on USB Security

Not every trick is high tech, as shown in this simple ploy: a hacker drops an infected USB drive on the ground, which is then picked up and used, infecting a computer. According to an article by digital news company Mic, researchers dropped a few hundred USB devices around the University of Illinois, even going as far as attaching keys or a return mailing address to some of them. Incredibly, 48% of the 300 devices they dropped were picked up and plugged into a computer.

Laptop Leaving

USB devices aren’t the only portable devices that can put you at risk. Have you ever left a laptop on the table at a coffee shop while you stood in line, or ran to the restroom? Even if your laptop is where you left it when you return, that doesn’t mean it hasn’t been compromised.

A test of Google’s Chrome browser showed how easy and fast it is to steal passwords from an unguarded screen. One reporter for the Guardian says he tried exactly that: and stole 52 passwords in 57 seconds. If your computer doesn’t have a master password, it’s a simple procedure to access every web password you have.

USB Security and the GDPR

Recently, the GDPR (General Data Protection Regulation) was implemented for Europe, with a whole new set of rules regarding privacy protection and sharing of information. We reported on this in great detail in an earlier blog post. One interesting aspect of the GDPR is in regards to USB drive compliance. Keeping customer information safe and secure, with only limited employee access to this data, is at the heart of the GDPR. The failure to use an encrypted USB stick to transport data can be considered a breach of protocols and result in hefty fines.

Security Protocols

Instead of relying on antiquated USB devices to share files, most companies should switch to cloud computing, which allows for safe storage and accessibility of files across a secured network. We wrote a blog post recently in which we listed a number of practices small-to-medium sized businesses should implement immediately, including amping up their cyber security, going to the cloud, and finding the right tech partner to assist them in setting it all up.

As security experts, Single Path is that “right partner” for many organizations. We know a thing or two about USB security, and even more about network security and data security. We help our clients implement proactive infrastructure patch management, provide a security risk assessment and much more. We also offer a full slate of managed cloud services, giving you access to the best cloud technologies without high initial costs or ongoing investments in upgrades.

Ask us how to get started!

Are You Ready for GDPR? Enforcement Begins on May 25, 2018.

In April of 2016, after four years of debate and preparation, the EU Parliament approved the GDPR (General Data Protection Regulation). This landmark regulation was designed to protect data privacy, access and provide a way for EU citizens to seek damages should they suffer from misuse or breach of their data.

This regulation affects any company that does business with EU citizens, regardless of where that company is located. Among its components are:

  • Mandatory breach notification. Data processors must notify their customers and business partners within 72 hours of becoming aware of any data breach.
  • The right for customers to obtain confirmation on how and where their personal data is being processed, and for what purpose
  • The right for customers to have their personal data “forgotten” or removed from electronic data (under certain conditions)
  • The right for customers to receive their own personal data, and a right to “data portability,” or the ability to easily transfer information between service providers
  • Privacy by Design. Data protection protocols need to be in place before a company collects personal information, and also limits who at the organization can access that data.
  • Data Protection Officers. Certain companies must appoint an officer in charge of all data protection and privacy issues, and follow certain internal record keeping requirements.

You can read the final, full version of the regulation here. And you can read a press release from the European Commission that drafted the regulation, here.

What you need to do now

According to research and advisory firm Gartner, most companies are not ready for this change. In fact, Gartner predicts that more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.

Unfortunately, if a company doesn’t adhere to the GDPR regulations, they could face a HUGE fine. Here are a few areas you’ll want to take a closer look at:

Are you a controller or a processor?

The regulation breaks out responsibility for protecting data into two roles: controllers and processors.

Which one are you? A “controller” is the person, business or public authority that “determines the purposes and means of the processing of personal data.” The “processor” is the person or organization that processes the personal data on behalf of the controller. In other words, the controller is the one who uses the information and the processor gathers it on their behalf.

Or, in an example given in an article on the website gdpreu.org, “If Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.”

Some companies are both. You may want to seek legal advice to ensure your role is properly defined.

Audit your data

Per a recent article on informationweek.com, auditing your data, while time-consuming, can have numerous benefits. The article suggests you “Find out what data you have, where you have it, why you have it, how long you need it and any current processes for deleting it.” Since information may have to be deleted, shared and immediately accessible, enabling a single view of all information, and where it is stored, can be a vital time and cost-saving measure.

Conduct a Privacy Impact Assessment (PIA)

You will need to assess how customers’ personally identifiable information (PII) is collected, used, maintained and disclosed to ensure it is protected adequately. As shared in an article at gdpr.com, “The PIA should be conducted throughout the development lifecycle of a system, but especially before you even start collecting the data. When risks are identified, the GDPR expects you to employ measures to address them, such as encryption, continuity plans or backups of the data.”

Remember, it’s not just about having a secure system. The real trick is in controlling who has access to the information and how it can be used. As stated in the same article quoted above, “security is about who has access to the data, privacy is about what you do with the data you have access to. Assuming security is good, the main risk will be the way in which you use the data.”

Let an expert help

At Single Path, we’re well known for “providing accountability for technology from the start.” Our team will work with you to put the processes and protections in place to ensure you are compliant with the GDPR, and any other regulations or requirements. From storage to security, we have the experience and resources to collaborate, educate and connect you with the tools you need.

Don’t risk a large fine from a lack of compliance. Let Single Path help you take the steps now to ensure you’re ready by May 25.

Ask us how to get started!