When it comes to cybersecurity, it’s no secret that the human aspect of any organization is its weakest link. From bad password sharing practices to falling victim to phishing emails, these challenges are any CISO’s nightmare. After all, the holes in network security that are created by the people on the front line of an enterprise can’t be plugged with a simple software patch. And despite efforts to train staff, employees are still the easiest route for a hacker to exploit. Particularly when it comes to USB-based security.
Shut the back door
In 2016, Researchers from the University of Illinois left 300 unlabelled USB drives around the campus and tracked what happened next. 98% of the dropped drives were picked up by staff and students alike, and at least half the drives were plugged into a computer to access the files stored on them – not bad odds if you’re a hacker. Although the study was conducted two years ago, its outcome is not unusual in 2018 and is a security backdoor that is still wide open for many networks around the world.
The reason is clear: practicality. There’s no doubt USB devices are one of the easiest ways to move files between machines. However, with the impact of suffering a cyber-attack so great, convenience can’t be a driver behind IT decision making. Especially not when cloud-based sharing platforms like Dropbox exist. Zero-Trust – which means no person or device is inherently trusted – is fast becoming the go-to security stance for enterprises as a result and is a strategy that has no place for USB devices.
So, with the use of flash drives being tackled in this way, can businesses do away with USB ports entirely? Not quite. USB ports serve many purposes beyond simply facilitating the use of storage devices. Before they can be completely disabled on end-user terminals and removed from the IT landscape in the interest of security, there are further challenges to overcome.
The software problem
One of the biggest factors preventing the phasing out of USB ports of employee machines comes from software vendors. From accountancy to law enforcement, high-value software applications have licenses that are tightly controlled and authenticated through USB dongles, a plug-in physical authentication device. Often worth thousands of dollars per license, it makes sense for vendors to take such a hard line as hardware-level protection is still the most effective mechanism for tackling software piracy and misuse. Since these applications are in use across all industries and often power software that’s at the heart of modern business, this isn’t going to change any time soon.
In some cases, it’s also a necessity. Take state police or defence bodies as an example. They need to know who’s running certain forensic software and where it is accessed, which makes relying on a physical dongle a highly logical solution. The problem, though, is that this can often increase the risk of a malicious device being plugged in if an employee relies on a USB dongle to access bespoke software for their role and a would-be hacker can exploit that.
The dongle server solution
However, this doesn’t necessarily mean that USB ports on end-user terminals and employee computers need to stay. Part of the responsibility of IT solution providers is to find a work around for issues like this, ensuring customer systems remain secure without compromising on functionality. And this is where USB device servers come into play.
A device server acts a central hub where all USB devices are managed. Rather than having each user plug a physical device into their own machine, it makes all connected USB devices available over the network. Dongle servers work on exactly the same principle, USB dongles for software authentication are plugged into a single centralised server, virtualised, and can be used by authorised users on the network as if they’d been connected directly to their computer.
They also meet the requirements of companies or organisations with high security needs. By encrypting the point-to-point connection between the end-user and the dongle server, the potential for unauthorised access is removed. More advanced dongle server vendors also make it possible to dynamically assign which user is authorised to access which dongle, ultimately controlling which computer is able to access the software.
Risk vs Reward
It’s widely accepted that hackers are getting more and more sophisticated. However, that doesn’t mean that they won’t go for low-level network infiltration attempts, such as baiting with USB flash drives, when the situation presents itself. Among the 10 major cyber threats identified by BSI in 2016 (German Office for Information Security), the use of USB devices ranks second.
Unfortunately, employees are always going to be the easy targets when it comes to enterprise security. It’s logical, then, that businesses seek to minimise damage that can be inflicted as a result of employee carelessness. Something as simple as disabling USB ports can have a significant impact on reducing a company’s attack vector and it is essential that vendors and enterprises work together to find solutions that lock hackers out of every security backdoor for good without impacting productivity.
The information contained in this website is for general information purposes only. The information is gathered from Information Security Buzz while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.