Security-awareness covers USB threats
Demonstrate that security awareness training materials explicitly cover USB-specific threats, that employees receive and comprehend this training, and that the organization can verify user understanding of USB security policies.
Description
What this control does
This control ensures that organizational security awareness training explicitly addresses threats posed by USB devices, including malware delivery, data exfiltration, and unauthorized software installation. Training content must educate users on risks such as BadUSB attacks, infected removable media, social engineering tactics involving USB drops, and organization-specific policies governing USB device usage. The control is critical because USB-based attacks remain a common initial access vector, exploiting user trust and physical device accessibility rather than network perimeter defenses.
Control objective
What auditing this proves
Demonstrate that security awareness training materials explicitly cover USB-specific threats, that employees receive and comprehend this training, and that the organization can verify user understanding of USB security policies.
Associated risks
Risks this control addresses
- Employees insert unknown USB devices found in parking lots or received unsolicited in mail, introducing malware into the corporate network
- Attackers use BadUSB firmware exploits to bypass endpoint security controls and execute code upon device connection
- Users connect personal USB drives to corporate systems, transferring sensitive data outside organizational controls and data loss prevention mechanisms
- Infected USB devices propagate worms or ransomware laterally across air-gapped or segmented environments not reachable via network
- Social engineering attacks leverage USB drop campaigns targeting specific facilities, exploiting lack of awareness about physical media threats
- USB keyloggers or hardware implants are inserted by malicious insiders or during supply chain compromise, remaining undetected without user vigilance
- Users disable USB port controls or circumvent technical restrictions due to insufficient understanding of security rationale and business risks
Testing procedure
How an auditor verifies this control
- Obtain the current security awareness training curriculum and all modules, presentations, or learning management system content used organization-wide
- Review training materials to identify sections explicitly addressing USB device threats, including malware delivery, data exfiltration, social engineering via USB drops, and BadUSB attacks
- Verify that USB-related content includes specific guidance on organizational policies such as approved device lists, port usage restrictions, and incident reporting procedures for suspicious devices
- Select a random sample of at least 25 employees across departments and confirm their training completion records within the defined training cycle period
- Interview a subset of 5-10 sampled employees to assess comprehension of USB threats, asking scenario-based questions about finding unknown devices or handling personal media
- Review knowledge assessment or quiz results specifically related to USB security questions, calculating pass rates and identifying any patterns of incorrect responses
- Examine incident response logs or security event records for the past 12 months to identify any USB-related incidents and verify whether affected users had completed current training
- Request evidence of training content updates following emerging USB threats or organizational security incidents, confirming the program adapts to evolving threat landscape
Where this control is tested