The secret to securing USB devices in the workplace

07 February 2019

Special feature from Charles Groves, Global Director of Business Development at CrowdStrike, JLT’s Cyber Consortium Partner.

Social engineering continues to be exploited by hackers and feared by security teams. Due to attackers’ subtlety and users’ natural curiosity, hackers succeed daily in baiting users to click on a link or answer a phishing email.

Baiting is a highly successful technique that relies on an organisation’s weakest security link: the end user. This type of attack is so effective that it is used in over half of all successful breach attempts today.


A favorite variant of baiting is the “USB” drop attack, which involves tricking a user into physically picking up a malware-loaded USB device and plugging it into an endpoint. This attack is particularly devastating because removable media can breach any network, from a university to the international space station.

The malicious reprogramming and dropping of a USB device can be accomplished in three ways:

  • Malicious Code: Attackers insert malicious code onto a USB and this code is auto-executed when a USB device is plugged in, or when a user clicks on a disguised malicious file once the device is inserted. The code can install anything from a worm to a remote access trojan, immediately infecting an endpoint and giving the attacker a beachhead for downloading additional malware.
  • Watering Holes: In addition to the social engineering methods used in the initial drop attack, opening a malicious HTML file on an infected USB can lead the victim to a watering hole site where they unknowingly enter personally identifiable information (PII).
  • Human Interface Device Spoofing: In a more sophisticated attack, the device itself is designed to look like a USB drive, but it behaves like an entirely different device, such as a USB keyboard, which can then be used to inject keystrokes that give an attacker remote access to an endpoint.

A recent study showed that a USB drop attack succeeds almost 50 per cent of the time — and gets past even security conscious users. The same study showed that 68 per cent of those who knowingly picked up a dropped USB failed to scan the device for malware — they simply plugged it in and accessed the device’s content.

 Sign up to our latest  news & insights Sign up to our latest  news & insights


Security teams are faced with a dilemma: how to safely enable USB devices, while reducing the risks they pose.

The traditional response has been to either ban all USB devices, or manage them with a device control solution that determines which devices can access an endpoint. Unfortunately, these solutions come up short. USB-related breaches have increased 8 per cent year over year and now account for almost one-third of all breaches.

Security teams have mainly relied on two types of device control solutions:

  • Standalone: Monolithic solutions offer strict control over USB devices, down to a single drive. However, because they are not integrated with other elements of security, they require additional time and effort to install and manage, and they lack the visibility and context required to verify that device control policies are adequate. To gain visibility into which devices are used in their environments, security teams must deploy additional security tools such as endpoint detection and response (EDR) solutions.
  • Endpoint Suites: Endpoint security vendors have typically developed and marketed “integrated” device control solutions as part of their endpoint security suites, but their solutions are often not truly integrated. These suites generally require a separate management console and additional agents (and a larger system footprint), and they offer limited device visibility. As a result, security teams have no context or understanding of the devices in their environment, and the solutions themselves consume valuable resources, especially during a USB device-related security incident.

Neither solution provides immediate visibility into which devices are in use and where, leaving security teams lacking the necessary knowledge to enforce and manage accurate USB device control policies. As a result, social engineers are thrilled because it leaves the door wide open for opportunistic baiting attacks.


It is imperative that you deploy a solution that can reduce the risk of baiting via USB drop attacks by providing visibility and granular control over USB devices. Most standalone endpoint suite offerings are simply not enough to fully understand and see which devices are in use and where. Throughout their environment, we recommend deploying an endpoint solution with top tier EDR that specialises in the capabilities included.

The core capabilities you should look for include:

  • Visibility: The ability to see everything in the environment in order to make informed security decisions.
  • Granular control: Visibility prompts action — the ability to define policies and enforce them, both online and off, down to the specific device.
  • Cloud-native architecture: A cloud based solution will help security teams identify all relevant USB device information in one place, enabling swift, effective action. Armed with these capabilities, security teams can effectively address USB device risks, including the dreaded USB drop attack.

Download Cyber Decoder

For more information, please contact Shannon Groeber, Senior Vice President, Cyber / Errors & Omissions Practice on 215.309.4495.