Wait! Don’t Plug That In!!!

In today's digital age, data is the lifeblood of businesses. Protecting your IT environment from cyber threats and ensuring the safety of valuable business and customer data must be a thoughtful part of your technology strategy, as well as business policies. One of the biggest challenges faced by organizations today is managing the risk associated with hybrid and traveling workforces. For example, the use of USB external drives, public charging stations, and Wi-Fi.

The Hidden Risk of Removable Media and Portable Storage Drives

External storage devices, including USB and USB-C drives, can carry various threats that potentially harm individual laptops or even slip through cybersecurity safeguards to compromise your entire organization’s network. Common USB security risks include:

Malware, Ransomware, and Viruses—oh my!

USB drives can harbor malicious software that sneaks into your network when plugged into a laptop, potentially leading to data breaches or system failures. Those tools and ports can also provide an unguarded conduit for ransomware attacks, spreading the threat throughout the organization’s network and leaving your business data locked down and inaccessible. Some USBs can even be used as a remote controller, taking over your device and executing commands.

Prevention Tip: USB device security relies on antivirus software, which offers malware protection. But users should also be aware whenever they use a USB storage device, avoiding the urge to open unknown files, and scanning every drive before accessing its content. Be cautious of using USB devices from untrusted sources and consider using USB data blockers, firewalls, and other cybersecurity tools for USB safety. Remember, USB devices can be plugged in and initiate applications without any user intervention, so “not opening anything” is not a preventative measure.

But I Know John’s a Good Guy…

Personal external storage media used by employees can inadvertently introduce threats to a company’s IT environment by transferring infected files. No one intends to create an open door by using a thumb drive that a colleague shares with you, but malicious code doesn’t expire, and it can infect laptops and other devices again and again. Older storage devices can also use outdated software that opens the door to modern hackers, so consider your USB a “legacy solution” and therefore, vulnerable. Also, beware of “gift” USBs that can be giveaways at conferences or sent as “incentives” from hackers that are impersonating reputable vendors. 

The best policy: Don’t plug in any device that you haven’t been in control of since it was acquired (and that means purchased). Don’t share or swap USB storage devices, regardless of whether they seem “safe” or not.

Where Did I Put That Drive?

Portable storage is just that—easy to carry. And easy to lose or steal. With a quick sleight of hand, anyone can grab a small storage device, and then quickly access and steal anything it contains. USB data theft is simple and leaves no footprint. Preventing data theft from USB drives demands strong passwords, USB encryption solutions, and other data leakage software.

Prevention Tip: Be sure all data that leaves your network in any form—external storage, email, message, document—is fully encrypted to protect the content. Be conscientious about the location of drives, and physically secure any storage device that might contain valuable or sensitive information.

Mitigating the Risks of External USB Storage Media

Now that you’re desperately trying to remember the last time you plugged in a thumb drive, let’s discuss some simple USB and mobile device security steps your organization can take to proactively avoid these threats and safeguard your environment.

It only takes a few simple steps to mitigate threats that may lurk in portal storage devices and eliminate common USB vulnerabilities. Perhaps the easiest focuses on your best line of defense, your employees. Educate your team about the risks associated with USB devices and other solutions that utilize USB ports. Develop a policy that clearly outlines secure USB practices as well as offering guidance on other portable storage device security. Then, remind your employees often about their role in protecting your organization’s network. Access control policies should apply to not just the devices and how they are used but also remind employees to safeguard all physical devices from unauthorized access or theft.

Examples of more complex, technical cybersecurity solutions include using endpoint protection and encryption to evaluate and secure data in your environment. These solutions address vulnerabilities well beyond USB and other storage devices; they can protect all data in motion and leverage “live” updates from vendors on potential attacks to maintain a highly agile cybersecurity stance. However, there are loopholes with these solutions as well, including the fact that encryption may not be portable (installed on a USB device) or may not be cross-platform compatible.

Tip: The best practice is a policy that doesn’t allow the introduction of USB devices on regular endpoints. Instead, use an isolated machine that can be used for scanning devices—preferably in a sandbox mode with a full suite of scanning tools installed.

Other Threats that Leverage USB and USB-C Ports

While the name seems a bit silly, “juice jacking” is no laughing matter. Juice jacking happens when malware is transmitted, or data is stolen from a device such as a laptop or mobile phone, while it’s being charged using a public USB charging station. Yes, that means plugging your iPhone into one of those jacks at the airport in a last-ditch attempt to keep your battery charged. Cybercriminals can load malware onto these public USB charging stations, and turn a quick charging stop into an opportunity for hackers to lock your device or export personal data and passwords.

How do you avoid juice jacking, minimize the risks of charging your phone in public, and prevent data theft at public charging stations? Again, the answers to USB charging station security are rooted in simple awareness. You can prevent juice jacking by:

• Carrying your own charging cables and adapters and searching out wall outlets instead of public USB charging stations is a surefire way to avoid public charging station risks.
• Using a portable charger or power bank to recharge your devices on the go.
• Using a USB data blocker or “charge only” cable that enables secure mobile charging without exposing your data can prevent a data breach while charging.
• Regularly updating your device's operating system and security software. Some updates include fixes for vulnerabilities that could be exploited during juice jacking, helping protect you from charging station malware.
• If you plug your device into a USB port and a prompt appears asking you to select "share data" or “trust this computer” or “charge only,” always select “charge only” as safe phone charging practice.

For businesses, establishing corporate policies that advise employees on secure mobile charging best practices, stress public USB port safety, and offer preventative measures to avoid juice jacking are key. Those policies should also address the ways public Wi-Fi___33 networks are used since those are another common opening for cybercriminals targeting remote or traveling employees. While we are all guilty of hopping on Wi-Fi, using public networks is a risky proposition when it comes to mobile device security. Be watchful for “open” networks, which typically warn you that your data may be exposed. If possible, leverage a secure connection, such as a password-protected hot spot you carry with you or establish on your mobile phone.

Additionally, organizations with remote employees or those who travel often should consider adopting a Zero Trust Security Model as a recommended step for data protection. A combination of internal communications, employee training, and a general heightened awareness of risk from the C-level down creates a culture where trust is never assumed, and verification is required from anyone trying to access resources. Advanced endpoint protection can play a crucial role in enforcing zero-trust policies, bolstered by clear, well-documented policies.

While all this can seem overwhelming, just remember to treat your USB or USB-C port as a gateway to your entire organization’s IT network. With a little common sense and these simple tips, keeping your mobile device safe isn’t as difficult as it sounds.