USB Switchblade Malware and Data Theft

Welcome to the FileSure Defend 2.5 Data Loss Prevention Blog series.

Data Loss Type #2: USB Switchblade Malware and Data Theft

One common way for someone who has physical access to the target computers is to use a ‘USB Switchblade’ (http://www.hak5.org/w/index.php/USB_Switchblade) attack. This method uses the Windows AutoRun feature to runs a program that silently infects the computer and steals data in the by running as a background task (this same attack works with CD/DVD drives.)

Example: Recently the US Department of Defense disclosed that they were attached by a USB Switchblade attack :

http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406528.html

Who is taking data: Since this attack is often designed with a certain computers/networks in mind, it can be custom built and will go undetected by virus scanners. This is usually a thief with an inside connection, and is a malicious removal.

What doesn’t (always) work: Some companies turn off the Autorun feature via Group Policy, and some others take a more drastic approach of disabling USB drives altogether. But in both cases, a savvy person with access to the machine can just re-enable them.

How we do it: By using FileSure Defend, you just block reading of executable code from removable drives and CD/DVDs and you’re done.

Specifically, how to do it: Here is a rule being defined in FileSure Defend, blocking reading of program files, batch files, script files, (anything that could be malicious code) from any removable drive and applying the rule to all users.

Of course, you could choose specific files, things in a certain folder, different users or groups, times of day, or more to pinpoint exactly what you are trying to accomplish with the USB write block.

Whatever choice of security you choose, FileSure records the activity, can alert on it, reports on it and archives it centrally forever in an encrypted data store.

Be sure to check out Data Loss Type #2: USB Switchblade Malware and Data Theft

New blog series: How FileSure Defend 2.5 handles data loss prevention.

Data Loss Type #1: File Removal via USB device

Ah, the ubiquitous USB Drive. Everything from a phone to an MP3 player can be used as a portable hard drive; all of which can be used to steal sensitive data, or introduce data you don’t want (see the #2 blog in this series for information on switchblade attacks, or keeping malicious code from being introduced via a USB device with FileSure Defend).

Example: This could be a disgruntled employee stealing trade secrets onto a pen drive, or it could be a legitimate sync of files onto a mobile device by an executive.

Who is taking data: Most likely an authorized user. Not always malicious intent: someone might want to take the sales list to work at home, not realizing the security breach that imposes.

What doesn’t (always) work: There are several solutions on the market; some options are even built right into Windows. For most people, the complete lock down of USB drives isn’t very attractive since USB drives are so useful. This opened up a space for other USB theft products, ranging from ‘Endpoint management’ products that report on what USB devices are being used to ‘White-list’ based systems where you define a list of ‘Allowed USB devices’ and some that combine both techniques. The thing is . . . it doesn’t matter what the device is, it matters what files are vulnerable.

How we do it: FileSure starts with the files. You can determine what files you don’t ever want leaving and block those from being copied TO a USB drive, period (while still leaving them otherwise available to authorized users). Or you can record or block all USB copies. You can see or block any files coming in to your environment FROM a USB drive. FileSure can also block against the powerful USB Switchblade attack where malicious data comes from the USB drive onto the computer (see the next blog entry for how to block infection via USB).

Specifically, how to do it: Here is a screenshot defining a rule that blocks the writing of Microsoft Excel files to a removable drive using FileSure Defend. All we do is block files with the extensions XLS and XLSX from being created or written to on a removable drive, and we apply it to all users.

Of course, you could choose specific files, things in a certain folder, different users or groups, times of day, or more to pinpoint exactly what you are trying to accomplish with the USB write block.

Whatever choice of security you choose, FileSure records the activity, can alert on it, reports on it and archives it centrally forever in an encrypted data store.

Be sure to check out Data Loss Type #2: USB Switchblade Malware and Data Theft