Thanks to the innocuous nature of removable media, the road to a major cyber attack can be paved with good intentions.
George, an employee at AcmeCo, finds a flash drive on the floor of the office building on his way into work, and picks it up.
This flash drive occupies his mind as he begins their work. Eventually he decides he wants to find the flash drive’s owner and decides to plug it into their computer.
He searches the files on the flash drive, only to find some pictures of people he doesn’t recognize and some strange text files. He unplugs the drive after a little while, and doesn’t think anything of it.
A couple of weeks later, AcmeCo’s production systems are locked by a ransomware attack. Little did George know that his well-meaning actions were the way in for the attackers.
What makes removable media such an insidious threat?
What is Removable Media?
Removable media is any device that can be connected to a computer through the USB ports, or other data connection ports, on a computer. This ultimately allows for the device to access the information on the computer and vice versa.
Organizations commonly use removable media such as external hard drives and flash drives to share files between employees, store backups on an external device for disaster recovery, and more.
While this technology is obviously useful, it has a number of malicious applications too.
Rubber Duckies – the dark side of removable media.
When you think about the term rubber ducky, you most likely think about the cheerful and harmless stark yellow duck toy that we’ve all seen.
Unfortunately, this could not be further from how the term is applied when it comes to removable media. Rubber Duckies are removable media devices which have been created to have a script embedded in their files.
When a rubber ducky is inserted into a computer, its script will activate to perform its defined function. This function is performed through generating keystrokes in the command console, which can be used to perform a variety of activities at the same privilege level as the user.
Most commonly, these rubber ducky USB devices are used to install malware, keyloggers or other malicious programs onto the connected system without the user knowing that anything happened. Since these scripts are customized to fit the objectives of the malicious actor, the actions of the device can vary greatly. Almost any sort of malware payload can be delivered with a rubber ducky!
Once on a single system, malware can attempt to spread itself throughout the network before starting the attack proper – which is what happened in George’s case.
Rubber duckies are popular tools for penetration testing as well, allowing the pentester to input commands and test the security of the environment at a rate of up to 1000 keystrokes per second.
In this case, different scripts would be put onto the device to execute on the network for different purposes and record the information so the tester would have all information about the vulnerability recorded for reporting.
Of course, a black hat hacker could do this to gather the same sort of data and more!
Removable media’s other data security threats
Removable media can be used in one of the most dangerous and hard-to-stop cyberattacks: a privileged insider attack.
When an employee uses a removable media device, they are able to take files from the system or add files to the system, both actions are useful day-to-day. However, files on the device leave the organization’s control and it becomes easier for a malicious actor to perform unauthorized actions with them.
If an employee gets fired from their position or becomes upset with their employer, any files on the removable media device are in their possession, and it is almost impossible to stop the ex-employee from doing whatever they want with the data.
These actions could entail the leaking of the documents or the sale of the documents to another competing organization or a malicious entity. Even if the company has an incident response plan or insider threat reporting procedures in place, this is a very difficult situation to recover from.
Furthermore, flash drives are small and are easily stolen or lost. Any information on the device is no longer in the possession of a member of the organization. This information would then be at risk of the same operations as the insider threat. Again, the data, once outside of the boundaries of the organization, can no longer be controlled.
How can Removable Media be Managed?
There are two methods that can be leveraged for the restriction and management of removable media.
Create a Removable Media Policy
The first method is to create a policy document that outlines the usage and restrictions of removable media that is interacting with organization controlled systems.
The document should encompass a scope of what kinds of removable media are being covered, the purpose of restricting the use of removable media and processes to mitigate the risk associated with the use of removable media if it is allowed in the network.
While this solution allows the organization and its employees to use removable media, the processes outlined in the documentation need to be reviewed and executed for the policy to be effective in mitigating the risks presented by removable media.
Create a Group Policy Object
The second method for the restriction of use is the creation of a Group Policy Object . This would be a setting configured by the sysadmin on all devices that prevents removable media devices from being used on the organization’s network.
This policy restricts all read and write permissions of the removable media devices, preventing any access to files or scripts contained on the system’s drives.
While this policy object solution is more restrictive, it provides less room for error in the daily processes where removable media can be utilized.
A Prevented Attack
If AcmeCo had implemented a group policy object on their systems, a ransomware attack could have been prevented.
George plugs the device into his computer to try and discover who the device belongs to, but the system doesn’t recognize the device. After trying a few more times, he gives up and turns the device into the reception desk.
The group policy object created by the internal IT team prevented the device from delivering its payload onto George’s system.
The types of cyber attacks that can be delivered by a removable media device are very serious – ransomware attacks can cause hundreds of thousands or millions of dollars in damage.
If you run a quantitative risk assessment of the situation, it’s easy to see that a cheap and easy-to-implement control such as a removable media policy or group policy object would deliver a large return on its investment!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.