The way we save, store, and access files has changed significantly over the last 20 years, with the rise of the cloud encompassing all of us.
From storing your important documents on cloud servers operated by the likes of Apple, Dropbox, or Amazon, to watching movies on streaming services rather than through DVDs or VHS tapes, there has been a significant shift from physical, removable media to intangible media.
With that shift, we’ve also seen the focus of attention move away from the safety risks of removable media toward the perils of cloud storage. Almost all organizations worldwide have reported a data breach in the cloud in the last 12 months, according to stats compiled about the risks of the medium – but just because the focus is now on the cloud, it doesn’t mean that removable media is secure.
Hardware devices that store files and data that can be plugged into and removed from laptops and desktops – such as USB sticks or disc-based media – have their own risks, which come in several forms.
Plug and play (and lose)
One of the main issues is not of hackers infiltrating a system and managing to lock up or delete important files. Instead, it’s of the person possessing the removable media managing to misplace their device – and losing all the files as a result. Mishandled media can be a security nightmare, especially for those operating in sensitive sectors. A USB stick that slips out of a jacket pocket may contain someone’s personal bank details or the secret business expansion plans for the next 10 years of a multi-billion dollar organization. As the experts at North Wales Management School say, “if removable media devices are used for work purposes and hold sensitive information, the results of a loss can be catastrophic.”
Another associated risk is connected to, but separate from, that of misplacing a physical device. We’ve all seen an abandoned memory stick lying on the floor of a room or placed on a desk next to a computer. Given their tiny size, it’s easy to forget them. This is why hackers capitalize on this intrigue, using a form of social engineering called baiting.
Baiting involves leaving a device infected with malware on show for someone to be intrigued enough to pick it up and plug it into their own device. If not done in a controlled security environment, this allows any files within it to autorun and execute their payload onto a victim’s computer without them knowing. Baiting attacks often involve leaving malware that tracks traffic flows into and from a device, sniffing up the contents of the packets – including private data.
Baiting and benefitting
Baiting attacks are some of the most damaging, precisely because of the impact they can have. The 2010 Stuxnet worm, which took nuclear reactors offline in Iran, was seeded through a baiting attack, showing the real risk that removable physical media can have on a computer system, nevermind an individual user. Similar methods include pre-loading free USB dongles given away at conferences with similar malware – and there are also risks in buying any removable media from a non-reputable supplier.
Mitigating these risks is a significant challenge. But it is possible. It’s worth remembering that years before the rise of cloud security, we managed to ward off the majority of attacks launched using physical media with no problems. Part of the issue is that we’ve got out of practice as cloud storage dominates.
It’s therefore vital to relearn some of the best practices when it comes to knowing about the safety risks of removable media. An easy way to avoid the risks of physical media is to avoid physical media altogether: IBM reportedly stopped allowing staff to use USB sticks in 2018, a decision that was called brave by some and foolhardy by others because of the business impact it would have. IBM, for their part, said it was a logical response to “an increasingly complex threat environment.” A less drastic alternative is to limit read-write access to removable drives, which not only prevents bad malware getting onto a system, but also prevents an associated risk, which is people being able to easily remove restricted files for their own use offline.