While it doesn’t necessarily get as much attention as software risks, hardware risks remain prevalent in terms of cybersecurity. One such area of concern comes from removable devices like USBs.
USBs stand for universal serial bus. They allow a computer to communicate with other devices. USB-connected devices are broad. They include flash drives, keyboards, and more.
A USB can also be used as a way to send power to other devices, like powering smartphones or charging batteries of devices.
Hardware attacks that involve things like USBs are growing in prevalence, and attackers can bypass authentication and endpoint security systems. These attacks are challenging to trace, and essentially attackers can leverage weakness in how an operating system manages hardware.
Honeywell Cybersecurity Research issued a warning about removable media threats in June 2021. Honeywell reported 79% of cyber threats stemming from removable media were critical to Operational Technology in heavy manufacturing. Honeywell went on to say the amount of malware engineered specifically for use with removable media as the attack vector has doubled year-over-year.
The following are key things to know right now about USB cybersecurity risks.
There are various ways to use a USB as an attack vector.
For example, malicious code is the most basic of these. In a malicious code attack, a user will click a file on a drive, and then the code can automatically activate when it’s viewed. From there, more malware is downloaded online.
The second type of attack is known as social engineering, where a file takes a user of a thumb drive to a phishing site. Once at that phishing site, someone could be duped into giving login credentials.
A more significant type of attack using removable devices is called Human Interface Device or HID spoofing. In this scenario, a device looks like a USB stick, but it tricks a computer into thinking it’s an attached keyboard. Then, the hacker has remote access to a computer.
A situation called a Zero Day attack occurs when the USB exploits a hole in computer software. The hacker acts before the vulnerability can be patched.
In the general sense, one of the most common uses for USB that’s weaponized is the delivery of malware.
One of the most effective things you can do to safeguard against USB and hardware-related attacks is the training of employees.
When you teach employees about the risks of removable media and not to plug devices into their computers when they don’t know what they are, it can decrease the threat your organization faces drastically.
Some other ways to safeguard against these attacks include:
Another option is not to allow the use of removable media at all. Then, of course, there’s no way for an attacker to weaponize the USB. Whether or not this is the right move for your organization is based on many independent variables.
Something else that can be generally helpful in terms of dealing with a myriad of hardware-related threats is a Zero Trust architecture. As a device, a USB wouldn’t be inherently trusted in a Zero Trust model. Instead, the device would have to be verified, as does every user and machine.
Even if a bad actor could gain access via a USB, their lateral movement would be impeded with Zero Trust frameworks.
It’s important in 2022 with your cybersecurity planning that you don’t overlook the role of hardware threats and take steps to protect against them as you do other risks you might face.