Portable media remains one of the key ways hackers infect a company’s network
Anyone who’s ever dropped of their child at a daycare is familiar with the scenario. If one child has a virus, it’s only a matter of time until all the other kids pick it up as well.
It’s the same with digital storage devices. Introducing USB drives, media cards or data disks into company computers can be just as risky as having your child spend the day with a sick kid.
Sure, it’s likely there’s no bad intent. It may simply be to copy a few files to work on over the weekend, or just to bring some favorite tunes into the office to help make the day more enjoyable. But portable drives are like those sick kids at the daycare. The worst-case scenario involves the spread of a nasty virus that can end up costing a parent (or a company) thousands of dollars to fight.
The bigger the corporation, the greater the risk. In addition to a greater number of employees who may use portable drives, larger corporations are likely to use contractors to perform maintenance on equipment that may provide an access point to internal networks.
Think the risk is overblown? A recent story on ZDNet detailed how a third-party worker inserted a USB drive into a computer on a cargo ship, inadvertently planting a virus in the ship’s administrative systems. The systems of another cargo ship were infected for more than two years, thanks to a virus that was introduced to its power management systems via a USB drive used in a software update. Luckily, nether incident affected the ships while they were at sea.
In another story that would be laughable if it wasn’t true, Taiwan’s Criminal Investigation Bureau handed out 250 USB drives to winners of a quiz on cybersecurity. The bonus? At least 54 of the drives were infected by a virus that had made its way from the computer of an employee of the hardware manufacturer.
And in yet another situation, reported on KrebsOnSecurity.com, the American Dental Association admitted that it may have inadvertently mailed malware-laced USB drives to thousands of dental offices around the country.
The drives contained information about updated codes that dental offices use to track procedures for billing and insurance purposes. Unfortunately, the drives also contained a program that attempted tries to open a Web page used by hackers to infect visitors with malware, ultimately giving criminals full control of the infected Windows computer. The ADA told Krebs the drives were manufactured in China by a subcontractor of one of its vendor, and that about 37,000 of the devices had been sent to dental offices. With the risks involved in using portable drives, what can a company do to protect itself?
Stop problems at the front door
Organizations in a variety of industries require secure networks that serve critical infrastructure, mission critical processes, or are otherwise vital to business operations. Critical networks monitor and control physical equipment and processes, often found in industries that manage critical infrastructure, such as energy, oil & gas, water and utilities, but also in manufacturing, pharmaceuticals and government defense networks. Critical networks are also found in air and road traffic control, shipping systems, as well as other industries.
These networks are often targeted by professional hackers, and in some cases even by government supported actors. These sophisticated hackers frequently use zero-day attacks which cannot be detected by traditional signature-based security tools. In addition, malware continues to grow both in volume and in complexity, with new variants increasingly evading even more advanced security systems such as malware sandboxes. In 2018, we saw Shamoon malware used to attack energy facilities around the globe and the Triton cyber attack shut down a number of industrial facilities.
To guard against outside attacks, networks are often air-gapped or somehow isolated from the rest of the organization’s infrastructure. One way to ensure network security, of course, is to completely ban the use of outside drives with company equipment. Unfortunately, in many situations that’s just not practical. For example, operating systems and software need to be patched and critical system logs need to be collected. It may also be an outside firm making an on-site sales pitch using a presentation brought in on a CD or flash drive, or it could be an employee using their personal device to transfer files to work on over the weekend. It could be a doctor at the local hospital copying X-ray images to take back to their office.
And chances are that most of us have three or four flash drives sitting on their desk, purchased at the local drugstore, picked up as swag at an industry trade show or even found lying near a computer in a conference room. If we needed on in a hurry, we’d likely grab one of those without giving it a second thought. Anyway, who wants to work in a cubicle farm where bringing in some Taylor Swift to pass the time is against the rules?
Securing the network against threats
With that in mind, how does the organization create a data transfer process to securely move files in and out of the critical network without exposing it to a risk of infection or the loss of sensitive information?
A more sensible way to address network security might be to allow the use of portable drives, but insist those drives be scanned before being used at the office. It’s sort of like signing up for daycare services but getting a full medical workup on all the other kids before trusting them with your own child.
One tool for accomplishing such a task is the California Cyber Security Kiosk, manufactured by Olea Kiosk. Olea created the California to help companies safeguard their infrastructure from malware threats on removable devices brought in by employees, contractors, vendors and others.
The California safeguards critical networks by providing the ability to detect malware, as well as control and sanitize file contents before entering or leaving a secure network. The kiosk can be deployed at strategic locations throughout your organization where employees or guests may be entering with USB drives or other portable media that could contain malicious files. A notice that portable drives need to be scanned before being brought on site can be included in employee training materials, while receptionists or other greeters can direct contractors or third-party vendors to scan any drive they plan to use while at work.
Using OPSWAT’s Metascan multi-scanning technology, Olea’s kiosk can scan USB drives, Blu-ray/CDs/DVDs, and other portable media using up to 30 fully-licensed antivirus engines. The kiosk offers an array of features including a 15-in-1 media reader, a receipt printer, a robust Dell CPU, two external USB ports and a UPS battery device that continues power during an electrical brownout. The kiosk’s stylish design allows it to provide functionality while at the same time enhancing the look of employee entrances or office lobbies.
Nearly every day brings news of a data breach, ransomware attack or other virus issue that brings a company to its knees, and those threats continue to grow. The 2018 Global Threat Report indicates that more than 7 in 10 of all organizations in the US were affected by a data breach in some way over the past few years. Other studies peg the cost of a data breach at an average of $3.62 million.
Don’t be one of that 70 percent. If you need protection from the cybersecurity risks of using portable media, Olea Kiosks stands ready to help!