At first glance, two recent security stories, the Stuxnet attack on Iran’s nuclear industry and the WikiLeaks breach of US State Department communications, don’t seem to have much in common, but they do. They are united by a vector, a method of transmission and that vector is removable media.
I am sure that the Iranians felt pretty secure with air-gapped systems, but like a spark from the burning house next door that finds its way into your shingles, the right USB found its way into the right PC and then suddenly all those uranium enrichment centrifuges running at 807-1210 hz started to act funny and fail in unexpected and reportedly fairly energetic ways (you can see some pics of failed centrifuges here http://web.mit.edu/charliew/www/centrifuge.html and here http://www.chem.purdue.edu/chemsafety/NewsAndStories/CentrifugeDamages.htm).
In the case of the State Department, Paul Roberts writes here http://threatpost.com/en_us/blogs/wikileaks-cablegate-time-blame-victim-120310 that weapon used by Bradley Manning to bring years of pain and grief to US foreign policy and diplomatic efforts was a writable CD with a Lady Gaga label on it.
I have long held that while an organization must be aware of and prepare for the threat of an outside evil hacker figure violating a server with a SQL Injection (more on this here http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm) or some other exploit and getting past the hard outer shell to the soft chewy goodness inside, they need to be even more cognizant of the threat posed by disgruntled or compromised insiders.
So, has disabling removable media gotten any higher on anyone’s todo list?
Taken from Cisco Security System.