Page 163 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 163
If a USB stick with corrupted firmware can be sent to the right people in a spear phishing attempt,
alongside messaging or other communication of a convincing story that means the drive in question gets
used, criminals can easily gain a point of unfettered access to a network. The same attack, leveraging
badUSB, can now be delivered through a simple USB cable which, to the naked eye, looks like any other
cable.
How to spot and mitigate a bad USB in 2022
Unfortunately, because badUSB threats are Trojan horsed in simple human interface devices, they can
be almost impossible to detect if not picked up by constant monitoring of the specific endpoint. Unknown
USB devices cannot be trusted - yet Apricorn's survey reveals that often, trust is misplaced. This means
that organisations increasingly need to ensure mitigation is already in place at all times.
Typically, this must be achieved without resorting to a blanket ban on USB-enabled devices, which are
ubiquitous and frequently vital today when it comes to moving and storing data, especially in a hybrid
working environment where some work from home, and others in the office.
The good news is, mitigations can be easily and affordably achieved by mandating the use of corporate-
standard USB devices with high-level encryption and firmware implemented in a way that makes it
impossible to modify for this exploit - right across the entire organisation.
The policy can then be enforced by locking down USB ports on employee machines to ensure they can
only accept an approved USB device.
Of course, such a policy will also cover off the need for a solid 321 backup strategy that requires a secure
offline, off-site back-up of all critical data along with a further copy on another medium or in the cloud, for
disaster recovery should the worst happen regardless.
Over half of the US and UK organisations we polled in late 2021 revealed that they had lost data due to
inadequate backup procedures.
Even government departments can fall prey to such oversight - luckily, our own investigation revealed
that many also encrypted their data - another key to threat mitigation overall. All data should be encrypted,
whether in transit or in storage, to ensure that even if information falls into the wrong hands, it cannot be
accessed.
Modern software-free, 256-bit AES XTS hardware-encrypted USB drives can therefore play a critical role
in covering off many critical security and privacy requirements, while maintaining fast, convenient access
for approved users at all times, wherever they are working.
Backed up with workforce-wide education - including at management level - around the threat, specifying
the risks associated with using unsanctioned USBs as well as the role employees must play in countering
such threats, operate as a strong, effective defence in most circumstances, as part of a multi-layered
security strategy.
163