5 Reasons You Should Never Trust USB devices & the One Reason They All Don’t Matter

By Jessica Stanford. January 21, 2019

Go ahead – plug that USB device into your machine!

Organizations – especially large enterprises – often have restrictions in place against using USBs. Their risks have been documented for years. This thread from 5 years ago talks about the risks of using USB over other media like CDs! The threats still prevail for USB devices today…and we no longer have CDs to mitigate those risks. So why can’t we trust USB devices?

1. Attackers love them

It’s a low-cost attack technique. Sure, it’s hardware, so it costs more than phishing, the most common method to breach the perimeter, but it’s still fairly cheap to acquire and the cost of a USB device continues to drop as they become more and more commoditized. A cheap 4GB thumb drive is just under 50 cents on eBay these days.

2. Easy to use

I’m no cyberattacker, but even I could figure out how to load malware onto a USB drive and get it into the hands of someone who would plug it into their machine.

3. They Work

People inherently want to make their lives easier and if that means plugging in a USB device to transfer a file, then they will do it. Attackers know this so they pre-load USB devices with malware and purposely scatter them in parking lots. Someone will inevitably pick one up and plug it into their machine. No matter how much cybersecurity education we do, the user is still our weakest link.

4. They’re Happening

You might be reading this thinking “this is old news – we all know that USB devices are risky which is why nobody uses them anymore”. It’s not old news though! Just last year Heathrow airport fell victim to a data breach caused by a USB stick.

5. Organizational policies don’t work

People always find workarounds and break corporate policy – especially when they aren’t enforceable.

It’s true – USB devices are still scary business. But as I said, it doesn’t matter. Why? Isolation.

With an isolation platform in place, you no longer have to make the binary decision to block or allow all USB devices. Isolation enables a secure-by-design architecture, so you can permit all USB devices, but dictate which isolated environment each specific type of USB is permitted to access. This ensures that “risky” USB devices cannot gain access to an environment with sensitive assets.

About the Author

As Global VP of Marketing, Jessica brings more than a decade of experience to Hysolate. With her in-depth product knowledge, market expertise and passion for cybersecurity, she has a long track record of driving strategic and revenue growth, leading product launches such as RSA’s Authentication Manager and CyberArk’s Privileged Threat Analytics. Most recently, she served as Director of Product Marketing at Cybereason where she was responsible for the full portfolio of product and service offerings. A proud buckeye, Jessica earned her BSBA from The Ohio State University and her MBA from Brandeis University.

Share this article: