This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public.
Advice and information is changing daily as we navigate our way through the COVID- 19 pandemic, so please ensure you only take information from reputable sources. If you require any further information, assistance or guidance please contact the EMSOU Protect Team or your local Force protect team. Portable media has been around for decades, and most organisations are still using them in some capacity to store data. In this blog, we’ll be discussing some of the ways you can protect your portable devices from cyberattacks, from USB drives to mobile phones.
In 1986 IBM introduced the 3.5-inch floppy disk with 1.44 megabytes of storage space. A big step forward over its predecessor, the flimsy 5.25-inch floppy. Fast forward 20 years or so and we have USB thumb drives that can hold over 350 thousand times more data.
USB drives are small, inexpensive, portable and have massive storage capacity. Small wonder they are immensely popular with IT workers to store and transport files from one device to another. Unfortunately, these same characteristics make USB drives appealing to attackers.
Nor is it just thumb drives that poses significant risks to an organisation, SD cards, portable hard drives and mobile phones plugged in by employees can also cause harm.
The Dangers of Portable Media
· Data Loss: Portable media is designed to be small and compact and is easily lost or stolen. A commonly encountered problem that organisations face.
· Sources of Infection: USB products can be plugged into a device and automatically load malware such as viruses, key loggers, ransomware, rootkits, Trojans and backdoor access.
These drives can be left in public spaces, where they will be picked up and used by the unwary or plugged into unprotected workstations. In an experiment, researchers from the University of Illinois left nearly 300 unmarked USB flash drives around the University campus; half of these were plugged into a host device.
Attackers have also targeted large manufacturing companies and supply chains to infect new products that are then distributed to customers.
· Data Exfiltration: When attackers physically access a computer system, they can download sensitive data directly onto the storage device. When turned off, a computer's memory is still active for several minutes without power. If an attacker plugs a USB drive in, during that time, they can quickly reboot the system from the USB and copy the computer's memory - including passwords, encryption keys, and other sensitive data. Victims may not even realize that their computers were attacked.
How to mitigate the problem of removable storage
· Use Anti-Virus: To automatically scan external storage devices for harmful malware before use. Keep anti-virus software updated to identify and sanitise the latest threats.
· Disable auto-run: To prevent malicious code on an infected item from opening and running automatically.
· Allow only pre-approved USB drives: Purchase from secure vendors and do not permit any others to be plugged into the work environment.
· Use mobile charging stations: Discourage staff from charging mobile phones at company workstations. Who knows what is being synchronised or downloaded?
· Encrypt Storage: Some of the more secure versions of encrypted USB drives will also erase data when an incorrect password is entered multiple times. AES encryption is widely considered unbreakable.
· Training: Staff should identify sensitive data and avoid storing such information on portable media. It is also important to train staff to recognise how users are socially engineered to plug in such devices.
The most sophisticated thumb drives are designed to look like and act like any other input device such as a keyboard or mouse. In these circumstances, anti-virus software and disabling auto run will still struggle to detect malicious behaviour.
Organised criminals are exploiting loneliness during lockdown to target isolated victims that use online sites to befriend others and look for romantic interests. BBC researchers have discovered that in one region, romance scam victims were groomed, then tricked out of an average of £47,000.
Romance Fraud is already one of the top five most commonly reported scams to Action Fraud. It cost the UK £27 million last year, according to the latest stats from the City of London Police’s National Fraud Intelligence Bureau (NFIB) and Get Safe Online.
A new phishing campaign is targeting Microsoft email account holders. These emails purport to be from a Senior Director who claims that “to stop the spread of the COVID-19 pandemic”, the recipient’s email address was selected to receive the “Microsoft Coronavirus Relief Fund” (MCRF). Recipients are asked to open a potentially malicious JPEG file.
Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).