1.6 Threat vectors & attack surfaces
📘CompTIA Security+ SY0-701
🔹 1. What is a Threat Vector?
A threat vector is the path or method that an attacker uses to gain access to a computer system, network, or data.
So, a removable media threat vector means the attacker uses portable storage devices to deliver malware, steal data, or bypass security controls.
🔹 2. What is Removable Media?
Removable media refers to portable storage devices that can be connected and disconnected from computers or other systems.
Common types include:
- USB flash drives
- External hard drives
- SD cards
- CDs and DVDs
- Portable SSDs
- Smartphones (used in storage mode)
These devices are often used in IT environments to transfer data, install software, update firmware, or backup files.
🔹 3. Why Removable Media Can Be Dangerous
Removable media can introduce or spread threats because they:
- Can store and carry malware from one system to another.
- Often bypass network security controls (since they connect directly to devices).
- Are difficult to monitor and easy to lose.
- Can be intentionally or accidentally infected.
- Provide a physical access route into otherwise isolated or secure networks.
🔹 4. Common Threats Through Removable Media
Let’s look at the main types of risks that can come from removable media in an IT environment:
1. Malware Infections
- A USB drive may contain malicious software (like viruses, ransomware, or worms).
- When plugged into a workstation or server, the malware can automatically execute and infect the system.
- Example in IT: An employee uses a personal USB at work to move files, but it carries malware from a home computer.
2. Data Exfiltration (Data Theft)
- Attackers or insiders can use removable media to copy and remove sensitive data from a secure network.
- Example: A contractor copies configuration files, customer records, or source code onto an external hard drive and leaves the building.
3. Unauthorized Access or Privilege Escalation
- Some removable media contain scripts or tools that can run commands automatically (for example, “USB Rubber Ducky” type devices).
- These can execute commands to steal credentials or install backdoors when plugged into a system.
4. AutoRun/AutoPlay Exploits
- Some older operating systems automatically execute programs on removable devices (AutoRun feature).
- Attackers exploit this to launch malicious code as soon as the device is inserted.
5. Data Corruption
- Using infected or incompatible removable media can damage system files or corrupt data stored on servers or endpoints.
6. Physical Loss or Theft
- Removable drives are small and easy to lose.
- If they contain unencrypted sensitive data, it can lead to data breaches if found or stolen.
🔹 5. Attack Scenarios in IT Environments
Here’s how removable media threats appear in real IT situations:
- A system administrator plugs in a vendor’s USB to install a driver, unknowingly infecting multiple servers.
- An employee copies HR data to a USB for “work from home,” but loses it, exposing personal employee details.
- A malicious actor drops infected USB drives in an office area, hoping someone will plug one in (known as baiting).
🔹 6. Security Controls to Protect Against Removable Media Threats
Organizations can reduce these risks by applying technical and administrative controls:
🛡️ Technical Controls:
- Disable USB ports or storage access
- Use Group Policy Objects (GPO) or endpoint management tools to disable USB mass storage.
- Device control software
- Use tools that monitor, block, or control removable media usage.
- Endpoint Detection and Response (EDR)
- Detects and blocks suspicious file transfers or executable activities from USBs.
- AutoRun/AutoPlay disabled
- Prevents automatic execution of programs from removable drives.
- Encryption
- Encrypt data on removable devices to protect confidentiality if lost or stolen.
- Anti-malware scanning
- Automatically scan removable drives before allowing access.
- Network isolation
- Prevent removable devices from connecting to critical systems or servers.
🧭 Administrative Controls:
- Policies and Procedures
- Create and enforce removable media policies (e.g., only authorized devices allowed).
- User Training
- Educate employees not to use unknown or personal USB drives on corporate systems.
- Access Control
- Allow only certain users or departments to use removable media.
- Incident Response Plan
- Define procedures if removable media is lost or found infected.
🔹 7. Best Practices (Exam Tips)
To remember for the Security+ exam:
- Always disable AutoRun to prevent automatic malware execution.
- Use device encryption (BitLocker To Go, for example) to protect data.
- Implement DLP (Data Loss Prevention) to monitor and block sensitive data from being copied to external drives.
- Restrict use of removable media on critical systems (e.g., servers, SCADA, OT systems).
- Regularly scan all removable drives with antivirus or EDR tools.
- Keep software patched to avoid exploitation through removable device drivers.
🔹 8. How This Fits into “Attack Surface”
Every system has an attack surface — the total number of ways it can be attacked.
When removable media are allowed, they increase the attack surface because:
- Each USB port or removable connection point is a new entry point for attackers.
- They provide physical access routes that bypass network security controls.
Reducing or controlling removable media usage helps minimize the attack surface.
✅ Summary (Key Takeaways for Exam)
| Concept | Description |
|---|---|
| Removable Media | Portable storage devices that connect to systems (USBs, SD cards, etc.) |
| Threat Vector | Method of attack using removable devices to infect or steal data |
| Main Risks | Malware, data theft, loss/theft of device, unauthorized access |
| Prevention | Disable USB, use encryption, scan devices, enforce policies, train users |
| Exam Tip | Disable AutoRun, use DLP, and apply least privilege for removable media use |
