So you’ve been handed a brand ‘new’ USB (Memory) stick at a conference, or you’ve found a misplaced USB stick on the floor inside or outside the office, and you want to find out what’s on it – so you can return it to its rightful owner; what’s the first thing you do with the stick?
Most PC users assume the innocence of the tiny and yet durable USB stick; and therefore plug any USB stick they lay their hands upon into their work or home PC, with the belief the stick is malware and virus-free; an assumption that can cause a huge cyber-security breach on your network or PC.
One of the first notable viruses to hit the news in the late 1990’s was the Melissa virus followed promptly by the Nimda and I Love You Worms, which spread rapidly across global networks. Some of these names may sound alien to new professionals whereas – for those of us involved with IT as a user or professional – since the year 2000 – these outbreaks probably remain ingrained in our memories.
The Melissa malware was a virus – rather than a worm – as it didn’t self-propagate (spread) through network shares, having been developed to run in macros in standalone Microsoft Word documents – and therefore largely affected Word users only.
On the other hand, similar to more recent threats, Nimda was one of the first worms developed, that used multiple methods – including social engineering i.e. the exploitation of ‘human’ weaknesses to spread – inviting users to click on links to infected websites, or to open infected email attachments. The ‘I love You’ worm also exploited human curiosity – dispatched in an email attachment titled ‘Love letter for you’. Surprisingly, even though this wasn’t sent on Valentine’s day, tens of millions of users were curious enough to click on an attachment from a stranger professing ‘love’; causing a global infection of their PCs.
USBs and Social Engineering
Have you ever viewed PDF’s titled ‘the top 20 secrets to wealth’, or ‘Please help’, or ‘Strictly private and Confidential’, and decided to take a brief look inside the document? Cybercriminals often use clickbait titles to lure curious users into infecting their PCs with malware from such documents, including on USBs – which are sometimes deliberately dropped on the floor for curious users to pick up and start a viral infection of PCs.
USBs aren’t immune to viruses or malware, and yet they’re doled out at conferences like candy; picked up off office floors – or streets – by unsuspecting or curious users as a matter of course, and subsequently plugged into personal devices without a thought for the security of the device or for other network users.
So what should Boards, IT, and PC users do, in a bid to mitigate the risk of malware and viruses from being introduced onto the network viz. USBs?
Continuing along the theme of the Board’s fiduciary responsibility to protect a corporation’s information assets from theft or loss – including the Board Executive’s accountability for the Corporate Cyber and Information Security Policies; it goes without saying that the small USB can cause a massive loss of information assets to a business – in the form of viruses, ransomware and other malware outbreaks.
Information leakage, i.e. wherein authorised and unauthorised network users depart unsecured businesses each day, with ‘tiny’ USBs on their person, containing intellectual property – or private customer information – is also a ‘big’ risk that needs to be owned and mitigated by the Board. What happens when an authorised employee misplaces a USB stick containing personal customer data – or leaves it on a train, and fails to report this?
At this level, we should be overseeing our teams’ cyber risk management initiatives such as DLP solutions, patch management, plus anti-malware and anti-virus solutions – ensuring our firm only purchases encrypted USBs that can also be remotely wiped in the event of theft or loss; plus we also need to oversee the blocking of all unencrypted USB sticks from the network, using GPO or other third party solutions.
Has your team been provided with adequate testing facilities, including a ‘safe’ standalone machine to test potentially suspect USBs and software on?
How about the asset inventory system containing details of each IT asset, including USBs, on the network? Is this updated (and reconciled) periodically?
We should also be iteratively raising user awareness through policies, workshops, training, bulletins, competitions etc., i.e. every effort has to be thrown towards reducing the threat of information asset theft and cybersecurity henceforth, not only due to the impending GDPR, but also if we’re intent on thwarting the Cybercrime industry from morphing into a $2Trillion dollar industry by 2019, at our personal workplaces’ expense.
Again, as I wrote on LinkedIn previously, Information Security is the responsibility of all staff, and it’s thus vital we individually take up the mantle of protecting our workplace and personal PCs from harm. Before you plug that USB or memory stick into your personal computer, pause and think – ‘what if?’; i.e. ‘what if this stick contains a virus or a worm on it?’; ‘what if this were to delete all my information on my PC – along with my entire work data?’; ‘what if this were to affect the office network for a day or two – could we continue as a business?’; ‘ what if this stick contains malware that could transmit all my stored personal information, or keystrokes I type on my PC, to a remote device – including financial information?’ (such software has existed for years).
If you’re given a USB stick by a friend, colleague or at a conference – ensure it’s scanned through an antivirus and anti malware software before you use it! If you notice a USB stick lying on the streets – just keep walking – let the owner return to find it where they dropped it – accidentally or maliciously!
Whilst memories or knowledge of the old viruses and malware may have diminished, the modern day cybercriminal has become more emboldened, using various methods, including the USB stick, to distribute their potent payload – exploiting not just software vulnerabilities – but largely human vulnerabilities, including unawareness and curiosity.
Even if you don’t remember Melissa, Nimda, or I love you; the more recent malware outbreaks are enough to let people know that those pesky Cybercriminals aren’t playing a game – it’s big business for them. Don’t inadvertently contribute to the thriving Cybercriminal industry, including as a victim – even if you have to forfeit some love from Melissa.