Security's Gaping Hole: USB Flash Drives

The Pentagon last week conceded that a USB flash drive carried an attack program inside a classified U.S. military network. Could your company be next?

Dark Reading Staff, Dark Reading

September 2, 2010

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Every day, flash memory devices are connected to business networks, posing a threat for which few companies are prepared.

The U.S. military recently underscored the problem in confirming that a 2008 attack on its systems originated with a flash drive plugged into a military computer located in the Middle East. The attack served as a wake-up call to the Pentagon, which responded by banning USB flash drives for more than a year. The ban was lifted earlier this year.

Few companies have locked down their systems against devices that can be used to steal data or infect networks from behind the perimeter. Earlier this year, a variant of an attack program known as Stuxnet used USB and other methods to spread among power companies, stealing information on the configuration of their sensitive operational networks.

Panda Security recently reported that 32% of small and midsize businesses cite USB flash drives and other external memory devices as the vector for viruses that infected victims. Almost half of all U.S. companies have been infected by a virus via a USB flash drive.

An employee who takes work home by loading it onto a USB flash drive could lose the device, exposing potentially valuable data. That raises a question: Is the threat posed by the device or by data on the device?

In a recent Ponemon Institute survey of IT security and operations managers, funded by Lumension, nearly 60% of respondents rated technology to control USB and other devices as important or very important, while 57% gave a similar rating to data-loss prevention technologies. However, antivirus and anti-malware technologies, whole-disk encryption, application controls, patch management, and IT asset management were all rated as more essential.

Employee education is part of the fight to secure companies against such mobile devices. In addition, encryption, role-based authentication, and data-loss protection can all help reduce the threat.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights