Universal Serial Bus (USB) baiting is one of the most common ways in which computer hackers exploit vulnerabilities in secured computer systems. Hackers can place malicious software or malware on inexpensive and highly portable USB drives and then leave those drives in places where they might be found by members of the public or even employees of a specific company or organization. Companies can hire third party vendors to test how likely that company's users are to plug in unknown USB drives. Third-party vendor solutions place on USB drives software that imitates malware and that is intended to “infect” computers used for company activities.
One limitation with this approach, however, is that the “malicious” software will also install and run on non-company (e.g., home) computers because the software cannot differentiate between company and non-company computers, leading to unintended collateral infections and potentially irate employees. Another key limitation is that the software cannot detect whether USB drives are simply plugged in to a computer. In prior vendor solutions, one of the following two scenarios must happen for the USB drive to be detected: 1) The user manually executes the software on the USB drive; or 2) The user's computer is configured to enable Autoplay, a setting that automatically executes software on a USB drive when the USB drive is plugged in to the computer.
Another limitation in prior vendor solutions is a requirement that the software be able to contact an application server at the time of software execution, i.e., when the USB drive is plugged in. If contact with the application server cannot be made, then detection of the USB drive software execution cannot be made.
The industry would benefit from a system and method wherein one can determine whether an unauthorized USB drive is plugged into a computer and whether the user acts on the contents of that drive without installing even imitation malware on the computer. It would also be a benefit to have a solution that can differentiate between company/organization computers of concern and private computers that are not part of the test population.