Posted by : Unknown
Thursday, September 6, 2012
USB devices are handy
ways to transport information -- and trouble, according to a recent survey of
more than 10,000 small businesses. Panda Security, which conducted the
research, estimates a whopping 25 percent of malware today is developed to
disseminate through the use of USB devices.
Small businesses in particular are paying a price for the convenience of using USB drives. As we grow more savvy to malicious attacks via e-mail and other avenues, cybercriminals are turning to USB drives to distribute malware. According to research by Panda Security, a whopping 25 percent of malware today is developed to disseminate through USB devices. The top two threats in security provider BitDefender’s most recent E-Threats report are spread through USB drives.
“Just these two viruses account for 17 percent of the total number of malware apps in the world,” says Catalin Cosoi, head the Online Threats Lab for BitDefender. BitDefender is also seeing new samples of malware distributed via USB drive. “Most hackers are lazy and don’t want to spend hours and hours trying to hack secured computers,” Cosoi explains. “If they can attack an easy target with just a few clicks, they will do that. Spreading malware through USB devices is just as easy as it sounds.”
Why you might be
vulnerable
The risk posed by malware-infected
USB drives isn’t limited to small and mid-sized businesses. IBM apologized
after distributing infected drives at an Australian security conference earlier
this year. However, experts say small businesses are vulnerable because of
these factors:
- Older operating systems. Windows Vista and Windows 7 offer much more protection
against infected USB drives, notes Tim Armstrong, a malware analyst with
security vendor Kapersky Labs.
However, Windows XP remains the most-used operating system worldwide, and
the malware exploits the “AutoRun” feature for removable media. Stick a
USB drive into the port on a Windows XP machine, and you may find your
every keystroke logged and sensitive business files distributed to servers
halfway around the world. Even if your company has upgraded its operating
system, your employee might be working at home on Windows XP.
- A lack of security know-how. Smaller businesses are less likely to have dedicated IT
personnel or to have policies in place to combat risky USB use. For
instance, Good Samaritans in your company may be inclined to pick up a
drive found in the parking lot, then insert it into their work computer to
see if they can find the drive’s owner. “Somebody could write a script on
that drive that goes and searches for your sales database and contact
list,” says Rich Baich, principal for security and privacy at Deloitte &
Touche LLP.
- Alternative ways to share information. It may be easier for a small company to rely on USB
drives than to take the time and resources to develop other solutions,
such as working in the cloud.
How to protect your
business
You can’t afford to
ignore this threat, say security experts. However, there are smart steps you
can take to insulate your business from the risks posed by malware-infected USB
devices. These steps are essential:
- Maintain up-to-date security solutions. Make sure your security is up to date on all computers
attached to your business, and enable Windows updates. Consider an
endpoint security solution that can prevent USB drives from being
recognized
- Disable AutoRun. Countless online tutorials detail how to disable
AutoRun. To temporarily disable AutoRun, hold down the shift key as you
insert a USB drive.
- Maintain a dedicated computer. If your business is small enough that it’s practical to
keep all critical information on one computer, consider doing so, says
Baich. Then, don’t ever insert USB devices into that computer. “Keep it
very clean. Don’t go surfing websites, use it only for business
functions,” he advises.
- Update your operating system. Lessen your risk by using a more recent version of
Windows or another operating system.
- Use security-protected devices. “Although USB drives are a major culprit for spreading
malware, they have also evolved tremendously over the years,” says
Cosoi. “Some brands have built-in security software, which makes
them safer. Look for these USB drives, and use them exclusively.”
- Educate your employees. In most cases, your employees are going to find the
simplest, most convenient way to get their jobs done. It’s up to you to
provide a means for them to move information when necessary and to outline
the risks involved with USB drive use. Even posting a sign telling workers
not to use unknown USB devices is likely to help. However, establishing a
usage policy is your best protection. Parameters might include never
running personal USB drives on work computers or business drives on home
computers and passing along “found” drives to a designated employee, who
can safely scan the devices.
- Consider alternatives. “It’s almost time to move away from USB sticks to
cloud-based solutions,” Armstrong says. Break the USB habit by offering
alternatives for file-sharing and storage, but make sure you have employee
buy-in, say experts.
“Companies should take
this issue very seriously,” cautions Cosoi. “At BitDefender, we think
USB-transmitted malware is more dangerous than e-mail or other ways of
propagating malware.”