Welcome to ThatThirdPartyGuy.com – my website highlighting my journey in third party cyber-security.

Removable Storage Devices in Your Enterprise


24 May 2022

I frequently run into companies that do not block the use of USB or other storage devices by default in their enterprise, and I’m always surprised by that.  I completely understand that some companies, such as law firms for example, might receive information via portable storage devices.  Or sales people might keep a copy of their super important presentation on USB stick in case their laptop won’t work or can’t be attached to the client’s network. 

I get it.  You may have a business need to use portable storage.

But given the risks associated with portable storage, I am surprised at how many companies just allow everyone to have access to portable storage devices without even questioning it.  They make it the rule rather than the exception. 

I had the conversation with a supplier on business trip (before Covid lockdowns of course).  They assured me that only the senior leadership team had that access.  I explained to them the risks of getting malware installed and the risks of data exfiltration. I further explained that the risks were greatest with their leaders because their leaders are often targeted first.  By the time my plane touched down at home, they had turned off that access and created an exception process! 

But others seem still favor convenience and politics over a good solid set of controls to prevent and reduce the attack surface.  How dangerous is it? 

Data Exfiltration

Data exfiltration is always a concern, but if the user has a good business case, it can be harder to protect against.  DLP is a useful tool here, and must be installed on the device for cases where the device is offline. But if the user doesn’t have an immediate and demonstrable need to use removable storage, wouldn’t you sleep better knowing its prevented?  I would.

Installation of Malware

The installation of malware via removable media such as USB devices, is still a huge vector for malware infections.  One report, the proofpoint state of the phish report – (accessed May 2022) https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-uk-tr-state-of-the-phish-2022.pdf shows that 64% of companies that responded indicated USB related attacks in 2022 -that’s up from the 54% in 2020.  

So how easy is it?  Consider a recent malware strain, Rasberry Robin.  Red Canary does a nice write up here showing how this malware works (accessed May 2022) https://redcanary.com/blog/raspberry-robin/ But the short version of one way that it works is that the attacker puts a malicious link disguised as a folder on the drive.  That circumvents the autorun feature for those that feel turning it off is all that’s needed.  Or for those that feel that data loss prevention is the only risk with removable storage devices.  The user clicks on the folder to see what’s inside and the link connects to the command server, downloads all kinds of software including malware, and its game over. 

What can you do about it?  Recognize the threats with removable storage devices.  When you connect a removable storage device, you are at risk for at least the following items:

  1. Data exfiltration (insider threat)
  2. Malware installation
  3. Data interception if the device is misappropriated or otherwise falls into the wrong hands
  4. Data destruction / archival once end of life – it becomes very difficult to ensure proper destruction of data once that device leaves your physical control

Take steps to reduce or otherwise mitigate the threats.  From my perspective, making the default stance to remove the ability to connect a removable storage device is a baseline all organizations should consider and implement if at all possible.  And always educate users on safe handling and destruction of your company’s sensitive data.