USB attack hardware costs $80 and looks like a thumb drive. Your carrier just added the question to the renewal questionnaire. Your auditor pulls evidence on the control next quarter. Removable media moved from "we have a policy" to "show us the enforcement."
The carrier-and-auditor convergence that already hit device inventory has hit removable media. Insurance underwriters ask about USB controls because USB-borne incidents are showing up in healthcare and SMB claim files. PCI assessors test for removable-media handling under Requirements 9.5 and 9.6. SOC 2 auditors evaluate it under CC6.7 (Restriction of Information Assets). CMMC includes MP.L2-3.8.7 (Control Removable Media) at Level 2. HIPAA-regulated organizations face §164.310(d)(1) Device and Media Controls. Five different framework checkboxes; one underlying question: can you prove that a Rubber Ducky plugged into the controller's workstation would not have free run?
The control language, side by side.
Five frameworks. Five close-to-identical asks. One operational answer that satisfies all of them.
PCI DSS 4.0 Requirements 9.5 and 9.6.
"Physical access controls for personnel" plus "media is controlled in a manner that ensures the recovery and reuse of media is performed in a secure manner." 9.5.1 specifically addresses the physical handling of removable media. Your QSA tests this with sample interviews and walk-throughs. The artifact they want is a logged inventory of removable-media events on cardholder-data-environment systems.
HIPAA Security Rule §164.310(d)(1) — Device and Media Controls.
"Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility." OCR audits cite this section in resolution agreements when removable-media controls are weak or undocumented.
SOC 2 CC6.7 (Trust Services Criteria, Common Criteria 6.7).
"The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes." The auditor expects to see both policy and technical enforcement. A documented allow-list, a detection feed for unauthorized devices, and a record of how exceptions are handled is the operational answer.
CMMC Level 2 MP.L2-3.8.7 — Control Removable Media.
"Control the use of removable media on system components." Your C3PAO assessor tests this through evidence of technical enforcement, not just policy. Endpoint USB policy plus a detection layer for known attack hardware is the configuration assessed.
NIST CSF 2.0 PR.PT-2 (Protective Technology).
"Removable media is protected and its use restricted according to policy." Cross-cited in most healthcare and SMB framework crosswalks.
The cyber-insurance questionnaire.
Carrier questions about USB and removable-media controls have been showing up under the "Endpoint Security" section of mid-market and SMB cyber questionnaires since the 2024 renewal cycle. "We have a policy" is no longer a sufficient answer. Brokers are pre-screening submissions for technical-enforcement evidence.
What USB attack hardware actually looks like.
Most board members and most procurement reviewers have never seen one of these in person. The hardware is cheap, openly sold, and deliberately disguised as something benign. Five categories your team should be able to name from sight.
Hak5 Rubber Ducky.
Looks like a normal USB thumb drive. When inserted, pretends to be a USB keyboard and types a pre-programmed script at machine speed — opening a command prompt, downloading a payload, installing a remote access tool. About $80. Sold openly online. Used in real SMB breaches in 2023 and 2024.
Flipper Zero.
A small handheld multi-function device that, among many other things, can act as a USB keyboard the way the Rubber Ducky does. Looks like a child's electronic toy. Same script-execution capability; harder to spot because it does not look like a thumb drive.
O.MG cables.
USB cables — phone charging cables, USB-C cables — with the script-injection capability hidden in the cable itself. Visually identical to a legitimate cable. Sold by a known security vendor; routinely used by both red teams and real attackers because "it's just a cable" is the universal blind spot.
BadUSB-class HID-spoofing devices.
"HID" — Human Interface Device — is the USB class for keyboards and mice. HID-spoofing is when a device tells the operating system it is a keyboard even though it is actually storage or a network adapter. Modern operating systems trust the device's self-description; that trust is what BadUSB-class hardware exploits.
USB-Ethernet adapters used as covert network access.
A small USB-to-Ethernet adapter, plugged into a workstation, creates a second network interface through which an attacker can establish persistent access. The original workstation looks normal. The new interface is what reaches back to the attacker. This one is the bridge to the inventory side of CybrIQ: even without an endpoint agent, when a USB-Ethernet adapter creates a new network device, our standard switch-derived identification catches it.
How CybrIQ handles it.
1. Optional, opt-in workstation agent on Windows and Linux.
This is the one place in the entire CybrIQ product where we put software on an endpoint. The agent is optional, opt-in per host, and scoped to the workstations you choose — typically the highest-risk ones first: executive endpoints, finance, anyone with privileged access, anyone working with regulated data. The agent enumerates the USB device tree and compares each connected device against a curated attack-tool signature database.
2. usb-threat-detected event on a match.
When the agent identifies a Rubber Ducky, a Flipper Zero, an O.MG cable, or a BadUSB-class device, it emits an event to your existing SIEM through syslog or REST — the same egress channels every other CybrIQ event uses. The event carries the full USB descriptor (vendor ID, product ID, device class, serial), the matched attack-tool class, the host that observed it, and the user logged in at the time.
3. Allow-listing for legitimate hardware.
Some programs have legitimate uses for the same kinds of devices — hardware engineers, internal red teams, security researchers, penetration testers under contract. The allow-list supports those without weakening detection for everything else. Allow-list entries are scoped per host and per user and are logged for auditor visibility.
4. Network-side detection when USB tooling creates a new device on the wire.
Even on workstations without the agent, when a USB-Ethernet adapter or a similar USB-pretends-to-be-a-network-device tool creates a new device, our standard switch-derived identification picks it up. A new manufacturer code appears on a port that previously belonged to a workstation. We surface the new device the moment it appears, through the same change feed your inventory updates flow through.
5. Clean evidence for every framework on this page.
The artifact — an enumerated USB-device log per workstation, an allow-list with maintained justifications, a detection feed for known attack hardware — is forwardable. The cover-sheet mapping varies (PCI 9.5.x, HIPAA §164.310(d)(1), SOC 2 CC6.7, CMMC MP.L2-3.8.7). The underlying evidence is the same.
What this is not.
It is not a hardware USB-port lock. It is not full data-loss prevention. It is not file-content scanning. It does not replace your endpoint USB policy. What it is: the technical-enforcement layer that turns a written policy into evidence the auditor accepts and the carrier recognizes. The endpoint policy and the DLP suite remain whatever your team has already chosen; CybrIQ provides the detection layer underneath that catches the specific class of hardware those policies cannot enforce against by themselves.
"Endpoint USB attack-hardware detection is in place on privileged-access workstations via the CybrIQ Windows/Linux agent. Detection signatures cover the BadUSB-class device families (Rubber Ducky, Flipper Zero, O.MG, HID-spoofing rogue mass-storage). Network-side detection captures USB-Ethernet adapters and covert network-attach devices independent of agent coverage. Allow-list maintained for authorized red-team and hardware-engineering use. Events flow to the SIEM via syslog and are retained per the data-retention schedule in the master services agreement."
A live demo of the workstation agent and the network-side detection.
Bring a representative workstation if you can — we can demonstrate the agent and the detection events on a real device.
Book a demo30-day pilot, no fee. The artifacts are yours regardless of decision.