Tim Royston-Webb, CEO, SentryBay
Cybersecurity threats are no longer confined to email attachments or malicious downloads. Sometimes the most dangerous attack vector is something far more ordinary – a free USB stick.
It sounds almost trivial. A giveaway at a conference. A branded flash drive handed out at an event. Something picked up out of curiosity and plugged into a laptop without a second thought. But in today’s threat landscape, that single action can be enough to compromise an entire organization.
The most dangerous attacks don’t look like attacks
One of the most important takeaways here is how simple the entry point can be. Attackers do not always need sophisticated exploits or complex phishing campaigns. Sometimes, they rely on human behaviour.
Curiosity. Convenience. Trust.
A USB device left in a public place or handed out at an event can be preloaded with malware or even configured to behave like a keyboard. The moment it is plugged in, it can begin executing commands, installing payloads, or creating backdoors.
There is no warning. No suspicious link. No obvious red flag. From the user’s perspective, nothing unusual has happened. From the attacker’s perspective, the job is already done.
Malware can enter anywhere
This reinforces a critical point that many organizations still underestimate. Malware does not need a single defined entry point:
- It can enter through email.
- It can enter through the browser.
- It can enter through trusted applications.
- And it can enter through physical devices like USB sticks.
Once inside, the focus shifts from entry to impact. And this is where most traditional security strategies begin to struggle.
The problem with traditional defenses
Most organizations invest heavily in perimeter security and detection tools:
- Email filtering.
- Endpoint detection and response.
- Network monitoring.
These controls are important. But they are designed to identify and stop threats before or during entry. What happens if the threat bypasses them?
A malicious USB device does not rely on phishing. It does not require user credentials. It does not need to exploit a known vulnerability in the same way traditional malware does.
It simply executes. Once that happens, the attacker’s objective is straightforward. Capture data.
Why data in use is the real target
When malware gains a foothold, it rarely needs to move laterally or escalate privileges immediately. Instead, it focuses on harvesting information from the user’s activity.
- Credentials typed into login forms.
- Sensitive data displayed on screen.
- Conversations captured through microphones.
- Video recorded through webcams.
This is known as data in use. It is the moment when information is most exposed and most valuable. And it is exactly where traditional security controls offer the least protection:
- Encryption does not help when a user is typing a password.
- Network controls do not help when data is already on screen.
- Detection tools may alert after the fact, but by then the data may already be gone.
The growing risk of deepfakes and impersonation
The stakes are even higher today because stolen data is no longer just used for direct exploitation. It is being repurposed:
- Audio recordings can be used for voice cloning.
- Video footage can be used to create deepfakes.
- Captured credentials can enable account takeover and fraud.
A compromised endpoint is no longer just a source of data theft. It is a source of identity replication. This is how modern attacks scale.
Why kernel-level protection matters
If malware can enter from anywhere, including something as simple as a USB stick, then the strategy cannot rely solely on stopping entry. It must focus on limiting impact. This is where kernel-level protection becomes essential.
By operating at a deeper level within the system, kernel-level controls can prevent malware from accessing sensitive inputs and outputs, even if the device itself has been compromised.
This includes:
- Blocking keystroke capture
- Preventing screen recording
- Restricting microphone and camera access
- Securing active user sessions
Instead of chasing every possible threat vector, this approach protects the data itself.
How Armored Client changes the equation
This is exactly the problem SentryBay’s Armored Client is designed to solve. Armored Client for IGEL operates at the endpoint to protect data in use, regardless of how malware enters the system. Whether the threat comes from a phishing email, a compromised application, or a malicious USB device, the outcome is the same.
The attacker cannot capture meaningful data:
- Keystrokes are scrambled, rendering keyloggers useless.
- Screen capture is blocked, preventing visual data theft.
- Microphones and cameras are controlled, reducing the risk of recording and deepfake creation.
- User sessions are protected at the interface layer.
Even if a device is compromised, the data remains protected.
Rethinking security for the modern threat landscape
The lesson here is simple but powerful. The next attack may not come from a sophisticated exploit. It may come from a free USB stick picked up at an event. That reality changes how we need to think about security:
- We cannot rely solely on preventing entry.
- We must assume that compromise is possible.
- And we must ensure that when it happens, attackers cannot access what they came for.
Because in today’s world, malware can enter anywhere. But it should leave with nothing.
About the Author
Tim Royston Webb, CEO of SentryBay, has over twenty five years of experience working across strategy, data, and enterprise technology. He has led go to market, revenue, strategic and cybersecurity initiatives at several leading business and IT advisory organizations.
He is the founder of Pivotal iQ, which was acquired in 2018, and later became a co-founder of the combined business, now known as HG Insights. His work has focused on how organisations apply data and analytics to drive better decisions and outcomes. This background naturally extends into cybersecurity. For Tim, protecting organisational information assets is a core requirement for trust, resilience and long term business success.
