By Richard Kanadjian
“BadUSB is a class of malware used by hackers worldwide who are determined to create as much havoc in as many lives as they can...BadUSB resides in a USB flash drive that has been programmed to go rogue and do some very bad, destructive things.”
BadUSB: hardware-encrypted USB drives. This type of drive uses premium encryption controllers and incorporates many security features. As a result, hardware-encrypted USB drives prevent BadUSB from occurring, as well as a multitude of other problems.
At the factory, when the firmware is loaded on hardware-encrypted drives, it is digitally signed and loaded. This means that when these encrypted USBs are plugged in, the encryption controller first checks the integrity of the firmware through the digital signature and only loads it if it passes. Any attempt to replace the firmware will stop the drive and render it non-functional, eliminating any threat.
Yes, hardware-encrypted drives are more expensive than standard USB drives—as well as, God forbid, the freebies handed out at trade shows. But, they earn their keep. The reduction and elimination of risks offered by such drives make the payback cycle very short. Plus, the peace of mind that comes from knowing you are protected from being hacked and suffering the associated legal and public relations costs is priceless.
Non-Technical Ways to Prevent BadUSB
Along with the use of hardware-encrypted USB drives, there are several other ways colleges and universities can prevent a BadUSB hit, although they are highly untechnical means. One is to outlaw anyone connected to or doing business with the school from using USB drives all together. The other is taking the extreme measure of epoxying the USB sockets on all their systems on campus or at satellite sites. Needless to say, either measure is a tad draconian and presents problems of its own.
Schools that have tried either method have run into a major problem: Some of their students and staff simply need to carry data on USB drives. For example, students working on
projects, research or other papers who need access to their data, etc., will put it on a USB drive at various locations. Another problem is outside faculty members and contractors, who need data to work on but have restricted or no access to the school's databases. Another possible problem is school recruiters going out and making presentations at various locations and finding it easier to put everything on a USB drive.
How Does BadUSB Affect My Campus?
As to how BadUSB affects you, that all depends on the designers' motives. One particular vulnerability all educational institutions face is the issue of securing Personal Identifiable Information (PII), which can be found in many departments around campus, including admissions, financial aid, human resources, the health center and others.
Personal Identifiable Information in educational settings is protected by the Family Educational Rights and Privacy Act (FERPA). It covers direct identifiers, such as a student's name, identification number, address and social security number; as well as indirect identifiers, such as a student's date of birth; or other information which can be used to distinguish or trace an individual's identity either directly or indirectly through linkages with other information.
FERPA is just one of many regulatory and compliance initiatives introduced worldwide and requires adherents to encrypt and protect personally identifiable data. Several others that you may be familiar with include HIPAA in health care, GDPR in the European Union and CCPA in the state of California. Compliance organizations have multiplied exponentially over the last several years, as these regulations and their associated fines and legal-award risks have skyrocketed.
MARCH/APRIL 2022 | campuslifesecurity.com 15
Hrecheniuk Oleksii/Shutterstock.com