Why Your Endpoints Need Device Control

The U in USB is more than appropriate: “Universal” pretty much describes both the range of devices that can be plugged in to the port and its prevalence. USB ports are all over your enterprise network, on virtually every workstation and notebook. But how dangerous is the USB port and how important is it that your security solution gives you visibility and control over what’s being sideloaded onto your network? Let’s take a look at the top five threats associated with the USB port.

1. Auto-run and Other Attacks

We’ve all heard of Stuxnet, the now-famous attack on air-gapped computers in an Iranian nuclear fuel enrichment plant that later leaked into the wild. Stuxnet leveraged the fact that peripheral devices will automatically display an icon on the Desktop, and combined that along with a zero-day vulnerability in Windows Shell to achieve remote code execution.

That’s a dramatic example of a whole class of vulnerabilities associated with auto-run, cold boot attacks and preset commands that take advantage of the way operating systems identify, enumerate, and interact with USB protocols and standards. Loading a maliciously-crafted file onto an ordinary flash drive can have devastating effects.

2. Rubber Ducky and Friends

Looks can be deceiving, and in this case not everything that looks like a simple data storage device is what it seems. Thumb drives may seem like passive data storage devices, but they are actually mini-computers. They contain a small onboard microcontroller unit with its own CPU, RAM and ROM. Essentially, these are used to manage the NAND flash storage, and for the thumb drive to identify itself to a host by reporting what kind of device it is. Those functions can be spoofed by other MCUs like Teensy and Rubber Ducky, housed inside a regular flash drive case. While the user thinks they’re inserting a storage device, the malicious peripheral can report itself as a keyboard or mouse and start sending automated keyboard strokes and clicks to control the host, traverse the file system or open applications.

3. Flashed Firmware

More difficult to pull off, but a number of researchers have demonstrated attacks that patch or replace the firmware of a regular USB device to carry out malicious attacks. These vary from injecting keyboard strokes to capturing network traffic via a reprogrammed USB-ethernet adapter. In one demonstration, researchers discussed how modifying a few bytes of firmware code could make a user think that data saved on the device was encrypted, when in fact the data could be accessed by any password.

4. Denial of Service

Disgruntled employees, fierce competitors or hacktivists “in it for the lulz” are just some of the people that could use your unguarded USB ports to destroy a laptop or workstation with USB.Killer. This malicious device sends repeated power surges to any machine it’s plugged in to. In most cases, this leads to fatal damage to the computer’s logic board.

5. Data Exfiltration

Most enterprise attacks are about making money and data theft, and the USB port is an ideal entry point for cyber thieves. From invisible partitions to simple copy and pasting, an unprotected USB port makes it easy for criminals to transfer confidential information without permission. Given the small size but high capacity of thumb drives, this could be anything from client databases and confidential emails to product specifications and just about any IP you possess. Even the NSA lost control of its assets when an employee copied APT hacking tools onto a flash drive and took it home!

Wrap It Up!

To protect against these threats it’s important that your security software implements device control and gives you the capability to manage the use of USB and other peripheral devices across your entire network. Together with SentinelOne Endpoint Firewall Control feature, Device Control provides what some considered the missing pieces to fully replace legacy antivirus (AV) solutions with its next-gen product. Like other features of the platform, these are delivered via SentinelOne’s single agent, single codebase, single console architecture. As SentinelOne’s worldwide deployment grows, we continue to focus on solving the problems our customers care about. Device Control is available starting with Eiffel/2.8 agents.

To see a demo of SentinelOne Device Control, visit our feature spotlight.