USB flash drive with the word "virus" inside
Image from Katsapura via Thinkstock.com

Security awareness training is a never-ending duty for infosec teams, although some CSOs despair that the message doesn’t always get through. But it’s one of the weapons IT has to deploy in a multi-faceted security strategy.

But along with ‘Be sure who’s sending that email to you. and ‘Don’t click on links so fast’ is another message: ‘Don’t touch USB keys that aren’t yours.’ That message was reinforced at this week’s Black Hat conference in Las Vegas with the publicity around a paper from Google researcher Elie Bursztein, whose team tested how gullible students are at the University of Illinois Urbana-Champaign campus.

Their paper — actually released in April but making headlines now because it was presented at Black Hat — described how 300 USB drives  were dropped around the campus to see how many would pick them up and plug in. The answer: 48 per cent. “They did so quickly,” Bursztein wrote: The first drive was connected in under six minutes.

This is disturbing because infected USB drives have been a proven attacker strategy. Casually dropping an infected USB drive in an office parking lot, company foyer, or even — if an hacker gets inside — on an office floor has worked, as well as mailing USB keys with supposedly promotional material.

In Google’s test some of the drives had no identification, some were labeled “exams” or “confidential”, others had door keys on a key ring or a return address label.

If opened the drives had a number of files. If a user clicked on any of the files they were asked if they wanted to answer a survey about why they plugged in the drive in exchange of a gift card. Sixty-two users (about 20 per cent) responded. Their motive, overwhelmingly, was noble — to return the drive to the owner (68 per cent). Only 18 per cent said they wanted to snoop at the contents.

Researchers also included various types of files (pictures, resumes) to see what students would open (and to give an idea of what attackers might think of as lures).

The bottom line here is employees have to be regularly reminded that USB drives are still a great way to spread malware in the enterprise. For CISOs who have the need, Bursztein writes, USB drives can be banned by denying users access to the Usbstor.inf file, or use killusb, a tool that instantly reboots computers when an unknown USB device (including a printer, mouse or camera) is connected.