Removable Media is an aspect found in ISO 27001 it needs to be considered by all businesses. How much danger can removable media pose?
What needs to be considered around Removable Media?
First of all types removable media covers a wide array such as discs and USBs these easily obtained by bad actors and are often used in many businesses. Following up this reasoning has to be considered a good place to start is asking yourself do you need removable media? If not a simple solution could be not allowing it to be used in the network in any form. Another aspect that needs considering is where data is stored, if someone is a bad actor or an individual gets access to a on site machine can they get to source code or customer details?
What could happen if this isnt addressed?
Access to staff and client information could be compromised but also installations of malicious software can occur this could be accidental or with illicit means. If a user manages to get access to the main network they can install all forms of nefarious spyware or even disrupt sections of the network allowing attacks further down the line. Irreparable reputational and often followed with a fine leaving an area like this unsupervised or reviewed enables bad actors.
Removable Media drops
Dark Reading in 2006 were hired to conduct something that is commonly known as a USB drop they dropped 20 usb drives with Trojans installed in the parking lot of a Credit Union. Finding that 15 were found by employees and those employees plugged in all 15 within three days of the drop.
Summary
Overall a good set of guidelines and training around areas like this are important to stay secure and up to date. Reviewing rules and training frequently is important as individuals with malicious intent at always looking at a new way to get hold of data.