Universal Serial Buses (USBs) are incredibly common connectors used in electronic devices such as flash drives, keyboards, external hard drives, desktop fans, and plenty of other devices.
The ability of USBs to transmit both data and electricity makes them incredibly useful for connecting devices to computers – it also makes them an endpoint security nightmare.
Organizations can suffer detrimental data breaches after their systems become infected with malware following one of their users plugging a rogue USB device into an endpoint device such as their workstation. By better understanding the potential threat that rogue USB devices can have on endpoint devices and data security, organizations can better defend against this threat.
USB devices can be used to transmit malware or even cause physical damage to hardware. Devices such as the USB Killer, a niche USB device designed to look like a flash drive, rapidly damage sensitive electrical components with rapid charge/discharge cycles when inserted into a USB port.
Malicious actors (aka “black hat” hackers) can use USB devices to stealthily infect computers with malware by executing a “payload” when the USB device is connected. The payload is malicious software that is designed to perform a set of malicious functions such as leaking sensitive data, installing spyware to stealthily monitor user activity, deleting/corrupting files, or execute a command to install other malware onto the now-compromised system.
Any unknown USB device should be treated as a vector for an attack from malicious attackers.
While the typical culprits are USB flash drives and external hard drives, niche product developments such as the O.MG cable and USBHarpoon have shown that even seemingly innocent devices such as USB cables can be specially-designed with the hardware required to execute a payload when it is connected to a computer.
Any USB device – including USB-powered fans or lights – can be modified to include data transmission and storage capabilities, leaving unsuspecting users to be none-the-wiser that they have become a negligent insider threat thanks to their trust in an unknown USB device.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
You may have noticed a critical component of USB attacks – they require that the USB devices are given direct access to the USB ports in order to execute the payload.
While the USB devices do need to be directly connected to a USB port to initiate the attack, the attacker themselves do not need to be the ones plugging in the USB. The attacker can pre-load a USB device with a payload that can execute automatically once the USB device is plugged in by a third party.
Social engineering – the use of flaws in human psychology to manipulate individuals into inadvertently cooperating with the attacker – is scarily effective in transmitting payloads through unknown USB devices.
Attackers can use social engineering to exploit the curiosity of employees with poor cybersecurity practices by leaving infected USB flash drives in spaces used by the organizations they intend to target. In an experiment conducted by the University of Illinois and the University of Michigan, USB flash drives were scattered across a large university campus resulting in a staggering 45-98% of the USBs being inserted into machines.
The majority of those duped by the social engineering study did so in an honest attempt to discover the owner of the flash drive, though some acted out curiosity or out of the intention to keep the flash drives for future use.
An organization relies on teams of trusted people to function. Unfortunately, trusted employees, contractors, or visitors can become malicious insider threats under certain circumstances. An unknown person walking throughout the office is certain to be suspicious, but employees working for an organization that allows USB devices can easily sneak past security personnel to deploy a payload.
USB devices can be dangerous if mismanaged, but there are ways to protect endpoint devices against the threat of malicious USB attacks.
An organization’s data loss prevention (DLP) strategy can be greatly improved by strengthening its defenses against USB attacks with the appropriate combination of physical security, DLP software with USB access control features, and regular cybersecurity training for users.
While the chances that an unknown individual will directly enter an organization to deliver their malware payload, physical security measures are still a significant factor for endpoint security. Physical security such as locked doors, security personnel, and video surveillance all contribute to preventing attackers from directly accessing the organization’s hardware.
An organization that takes its data loss prevention seriously must invest in providing its users with frequent cybersecurity training that addresses their cybersecurity responsibilities as well as the forms of attacks that can be executed against the organization.
When users are properly trained they will better understand how to use the organization’s computers and network in a safe and responsible manner, reducing the chances that they will fall victim to social engineering attacks that rely on phishing and unknown USB devices to be executed.
Organizations that want to improve their data loss prevention capabilities by protecting their network and endpoints against unknown USBs should proactively invest in endpoint security software with integrated USB access control features.
The USB access control features provided in endpoint security software allow organizations to have greater control over the USB devices that are permitted to be used within their network, reducing the opportunity for unknown USB devices to execute their payloads.
When investing in endpoint security software, here are key features to look out for:
Hi this is Dale from the CurrentWare team.
Today I’m going to show you how to get started with implementing your first USB security policies with AccessPatrol.
This video will cover the key features of AccessPatrol, including:
This demo will be using version 7.0.1 so there may be small differences if you are using another version.
Before watching this video you should already have the CurrentWare web console set up, the CurrentWare Clients installed on the computers you would like to manage, and your users or computers placed in their own policy groups.
For more information on installing CurrentWare and setting up your policy groups, please visit the knowledge base at CurrentWare.com/Support.
To start, decide if you will be managing your organization’s USB security policies based on users or computers.
If you select User mode your policies will apply to the users no matter which managed device they log in to; if you select PC mode your policies will apply to a specific computer.
Whichever mode you have selected is the mode that will have its policies active; you cannot operate in PC mode and user mode simultaneously.
If you are using a terminal server to manage your clients you must use AccessPatrol in PC mode.
Alright, let’s get started!
First, I will show you how to block removable media devices using AccessPatrol’s Device Permissions feature.
As of version 7.0.1 the following restrictions are available:
For removable media devices you have three options:
For Bluetooth devices you have:
For everything else you have Full Access and No Access.
In this example I will block USB portable storage devices, CDs/DVDs, and floppy disks on the computers used by our Accounting department.
Once you’ve configured your desired device restriction policies for the selected group, press “Apply” to save your changes. Then, press the “X” button in the top-right corner of the Device Permissions window to close the window.
If you’d like to set unique device restriction policies for each group, simply repeat the same process for each of your groups.
If you’d like to use the same device restriction policies for multiple groups, copy group settings by following these steps:
Be careful when selecting source and destination groups in the Copy Group Settings window; all of the destination group’s previous settings will be overwritten with the selected settings.
Next, I will show you how to allow specific trusted devices while blocking all others using the Allowed List.
This configuration is ideal if you want to prevent unauthorized devices from being used on your computers or if you only want to only allow certain groups to have access to a particular type of device, such as only allowing IT staff to use removable media devices.
To do this:
Now that you have your core USB security policies in place, I’ll show you how to use AccessPatrol’s complementary features.
This section will cover:
The Access Code Generator allows administrators to generate a time-limited single use code for a specific computer or user. These codes can be made on-demand or pre-generated for use within 30 days. The temporary access code does not require internet access to use.
The most common uses for the Access Code Generator are:
If the user has a connection to the CurrentWare Server you will see when their access code is active under the “Devices Blocked” column in the manage window.
To create an access code:
To use the access code, your user must:
Once your user presses the unlock button they will be completely unrestricted by AccessPatrol for the duration that you set when creating the Access Code. During this time you may want to visit that user’s dashboard and monitor them for suspicious activity; I will show you how to do that in another video.
Next, let’s look at the Device Scheduler.
With the Device Scheduler you can modify the device permissions you have set for storage devices based on daily or weekly schedules. Any USB control policies you implement in the Device Scheduler will override the restrictions you placed in the Device Permissions window.
Here are some ways you can use the device scheduler:
Once you’ve added your desired device schedules, return to the main window and set the toggle for “Enable Device Scheduler” to active.
Next, I’ll show you how to use the Block File Transfers feature to prevent file transfers to and from portable storage devices based on keywords in the file name as well as file extensions.
Here’s how to use the Block File Transfers feature:
By selecting “Apply Block File Transfers on Allowed Devices” the Block File Transfers feature can even be used to restrict these data transfers to your trusted devices.
In this next section I will show you how to monitor USB device usage with AccessPatrol’s USB activity reports.
AccessPatrol collects a variety of data points related to peripheral device usage, including:
These data points are then used to populate a variety of reports, alerts, and dashboards that IT security teams can use to investigate potential insider threats such as employees transferring sensitive data to removable storage devices.
Having detailed logs of USB activity is essential for regulated organizations that need to ensure that their USB security policy and data loss prevention methods meet their regulatory compliance requirements.
While the best practice is to block all removable media devices and provide a more secure alternative for data transfers, this is not always practical for some organizations. In those cases, a detailed USB activity log is an essential tool for ensuring that employees and contractors are compliant with the organization’s USB security policies.
Allright, let’s get started
For this example we’ll configure a File Operations History report.
By default the report will include all file operations to removable media devices; you can also use the dropdown menus to selectively include only specific file operations.
These file operations are:
Next, select the computers or users you’d like to include in the report. You can select individual users or computers from a group, the entire group, or your entire workforce.
You can use these sorting options to choose how you want the data to be sorted in the report.
Next, select the reporting period.
Once you have your settings configured you can save it as a report profile. Report profiles are used to automate scheduled reports that will be sent to an email inbox.
They can also be used to configure all of your settings by selecting the report profile rather than manually adjusting the parameters each time. By default your report profiles will be automatically updated to include new users or computers as they’re added; this can be changed in the AccessPatrol settings menu.
Press the run report button to generate the report. This report can then be saved or printed by using the buttons in the top right corner.
If your reports and dashboards are filled with irrelevant information, you can selectively exclude data about specific devices and file names from these reports using the Exclusion List. The Exclusion List is a global setting that will affect the reports and dashboards for all groups.
Here’s how to use the Exclusion List:
Next, I’ll show you how to use the report profile we created in the previous steps to automate the generation and delivery of the reports to designated email inboxes. This Email Reports feature is a convenient way to deliver USB activity reports on a regular basis without having to log in to the web console each time.
If you only want to receive a report when specific events occur I will cover that in the next section when I show you the Email Alerts feature.
Before you begin, you will need to configure your email settings by going to settings > Email settings. You can have the email reports and alerts sent through your organization’s email server as well as a variety of web email services such as Gmail.
How you configure email settings will depend on the email server you use. For more details please visit the CurrentWare knowledge base at CurrentWare.com/Support/
Once your email settings are configured, return to AccessPatrol’s manage section and click the Email Reports button. This main screen will show any currently configured email report schedules.
Next, let’s look at creating email alerts.
Email alerts are similar to email reports except instead of sending reports at a predetermined time AccessPatrol will instead send an alert email when specific parameters are met, such as an employee attempting to insert an unauthorized USB flash drive into a managed computer.
Here at the main screen you will see your currently configured alerts.
To create a new alert:
That’s it for today’s video. If you have any questions you can reach out to the CurrentWare support team at CurrentWare.com/Contact/ or you can get more information from our self-serve knowledge base at CurrentWare.com/Support/
With a full-featured 14-day FREE trial of AccessPatrol, organizations have the opportunity to test an endpoint security software solution designed to protect their data and secure their endpoints.
AccessPatrol is an endpoint security software that is available as a stand-alone product or as part of the CurrentWare Suite. CurrentWare customers use AccessPatrol to strengthen their data loss prevention capabilities by blocking USB ports, disabling unauthorized external devices, and configuring custom device permissions for their users.
If your organization is ready to enhance its data loss prevention strategy, click the button below to request a free trial of AccessPatrol and an expert from the CurrentWare team will provide you with everything you need to get started.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |