Found thumb drives: another way employees are a security menace

DHS test plants storage devices in parking lots; most people plug them into the nework

Most people wouldn’t eat food they found laying in a parking lot, even if it was sealed, nor would they put on a hat or a pair of gloves they found on the ground. But it seems many aren’t so picky when it comes to data storage devices.

A recent penetration test by the Homeland Security Department highlighted a glaring weakness that keeps security professionals up at night. DHS staff deliberately dropped data disks and USB flash drives in federal agency and contractor parking lots. According to Idappcom, a network security firm, 60 percent of those planted data devices, which could easily hold malicious code, were inserted into company or agency computers.

And if the data device had an official logo, the “success rate” for it being inserted into an organization’s network rose to 90 percent.

“There is no device known to mankind that prevents people from being idiots,” said Ray Bryant, Idappcom’s CEO.


Related coverage:

To defeat phishing, Energy learns to phish


An obvious conclusion of the DHS test is that humans will always be the weakest part of an agency’s security architecture. Because of the potential for human error, mistakes and downright stupidity, organizations can’t just rely on firewalls and other IT security systems.

The key defense for many security issues is education, Bryant said. Besides explaining to employees the reasons why security procedures are in place, organizations need to back it up with a multilayered approach consisting of regular reviews of the network security architecture and a schedule of audits and penetration tests. In the case of found disks and drives, employees should know that they can harbor and distribute malware.

“If employees are allowed to feel that ‘manual’ security is a game, then that will spread to the actual security practices employed in protecting networks,” he said.

Changing an organization’s culture is another way to instill security consciousness. One approach is to get various stakeholders to buy into the new process. That involves promoting an understanding of why a given set of security rules are in place and how detrimental it can be if those rules are forgotten. Once that process is understood and accepted, an organization’s security posture can be raised significantly at little or no extra cost, Bryant said.

Security awareness must be stressed at all levels of the organization, with the understanding from the top down that security is strategic to the enterprise and good for overall governance, he said. Security should not be seen as just another cost center. Key leaders, such as chief information security officers, should appoint designated champions to promote security within an agency or company hierarchy, he added.

Although they are not a panacea, automated testing systems can at least help detect security breaches. Regularly scheduled tests ensure that fixes have been applied and no new vulnerabilities have been introduced, Bryant said. Post-test meetings can also offer clear guidance for remediation.

But technical solutions can only go so far. CIOs can ensure additional security and sleep a bit more easily at night if they stress security education. “Education is not just about the mechanics,” Bryant said. "It has to be instilled as good business practice, it has to be a cultural change and raised beyond the news of the day."

Based on the results of DHS' test, Bryant offers CIOs this advice:

  • Don’t get sidetracked from other security measures. This story is as much sensational as it was staged. Look at all the other serious security hacks in the past few months, and don’t get distracted from the real threats.
  • Intrusion detection and prevention must be the first line of defense. It is more likely for an organization to be hit by hackers than it is for staff to find USB drives in the parking lot.
  • Education on the need for IT security can only go so far. Extra layers of security — including technologies that validate and prove that the security systems function correctly — are an essential part of an efficient IT defense strategy.

Reader Comments

Mon, Jul 11, 2011 Gary Hinson NoticeBored.com

I am sitting at my desk pondering a branded USB stick I was given at a recent conference, wondering whether it is worth the effort to set up a test environment in which to check it out safely, or to bin it, or just to take a chance and use it. As a security geek, I believe I am well aware of the risks and able to make a rational decision, but if I weren't, the decision to 'just take a chance' would be hard to resist. Perhaps I should simply drop it in the nearest government carpark and let someone else test it out for me ...

Fri, Jul 8, 2011

Cumbersome or overbearing security systems that hinder employee functions train the employee to look for work arounds. These workarounds then lead to a casual attitude toward security rules. Lesson to learn is review security proceedures and how they work with employee operations and keep them in step with employee needs.

Wed, Jul 6, 2011 Scott Wright

All of you are right that rogue USB drives are NOT the biggest security problem that enterprises face. But think about the REAL implications of this kind of data. Clearly, the majority of the population has NOT RECEIVED the basic message that they should "only use authorized or trusted devices". This is very important conclusion. It tells us that people are not as good as they should be at making simple risk decisions because they've been told (or they assume) that they can rely on technology safeguards and controls. While technological controls are usually the preferred solution for consistency and reliability of policy enforcement, we still seem to be losing ground to the bad guys. And until our enterprise has a budget for all the latest NAC and IPS technologies (FY ??), should we all just accept the risks that users may click on the wrong links or attachments, or use hardware or software that have serious security vulnerabilities? Technological controls will always need to be balanced with education; but not necessarily education about technical threats, which is almost futile. People must be educated on the AUTHORIZED TOOLS and PROCESSES they need to do their jobs securely and efficiently, and on what acceptable personal use of enterprise networks entails. Every technology has at least one vulnerability - as do people and processes. Employees need to be made aware of this basic fact, if nothing else. People who say we simply need to use better technology seem to be using Tortoise Reasoning (Google: "it's turtles all the way down!). Scott Wright Streetwise Security Coach and creator of www.honeystickproject.com

Wed, Jul 6, 2011

So the Govt has just learned what the Private Sector did years ago. In the real world we have disabled USB ports, floppy ports, CD, DVD ports etc on ALL User systems by GPO for that exact reason. It is unbeliveable how far behind our Govt Professionals are given that each of them have deveral college degrees each. It i struely being run by a bunch of paper tigers.

Wed, Jul 6, 2011

The assertion, "another way employees are a security menace" is a slam-stereotype made against all employees. DHS is no better than TSA at finding the enemy. Instead of pulling these idiot parking lot pranks, focus on the enemy.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above