Found thumb drives: another way employees are a security menace

DHS test plants storage devices in parking lots; most people plug them into the nework

Most people wouldn’t eat food they found laying in a parking lot, even if it was sealed, nor would they put on a hat or a pair of gloves they found on the ground. But it seems many aren’t so picky when it comes to data storage devices.

A recent penetration test by the Homeland Security Department highlighted a glaring weakness that keeps security professionals up at night. DHS staff deliberately dropped data disks and USB flash drives in federal agency and contractor parking lots. According to Idappcom, a network security firm, 60 percent of those planted data devices, which could easily hold malicious code, were inserted into company or agency computers.

And if the data device had an official logo, the “success rate” for it being inserted into an organization’s network rose to 90 percent.

“There is no device known to mankind that prevents people from being idiots,” said Ray Bryant, Idappcom’s CEO.


Related coverage:

To defeat phishing, Energy learns to phish


An obvious conclusion of the DHS test is that humans will always be the weakest part of an agency’s security architecture. Because of the potential for human error, mistakes and downright stupidity, organizations can’t just rely on firewalls and other IT security systems.

The key defense for many security issues is education, Bryant said. Besides explaining to employees the reasons why security procedures are in place, organizations need to back it up with a multilayered approach consisting of regular reviews of the network security architecture and a schedule of audits and penetration tests. In the case of found disks and drives, employees should know that they can harbor and distribute malware.

“If employees are allowed to feel that ‘manual’ security is a game, then that will spread to the actual security practices employed in protecting networks,” he said.

Changing an organization’s culture is another way to instill security consciousness. One approach is to get various stakeholders to buy into the new process. That involves promoting an understanding of why a given set of security rules are in place and how detrimental it can be if those rules are forgotten. Once that process is understood and accepted, an organization’s security posture can be raised significantly at little or no extra cost, Bryant said.

Security awareness must be stressed at all levels of the organization, with the understanding from the top down that security is strategic to the enterprise and good for overall governance, he said. Security should not be seen as just another cost center. Key leaders, such as chief information security officers, should appoint designated champions to promote security within an agency or company hierarchy, he added.

Although they are not a panacea, automated testing systems can at least help detect security breaches. Regularly scheduled tests ensure that fixes have been applied and no new vulnerabilities have been introduced, Bryant said. Post-test meetings can also offer clear guidance for remediation.

But technical solutions can only go so far. CIOs can ensure additional security and sleep a bit more easily at night if they stress security education. “Education is not just about the mechanics,” Bryant said. "It has to be instilled as good business practice, it has to be a cultural change and raised beyond the news of the day."

Based on the results of DHS' test, Bryant offers CIOs this advice:

  • Don’t get sidetracked from other security measures. This story is as much sensational as it was staged. Look at all the other serious security hacks in the past few months, and don’t get distracted from the real threats.
  • Intrusion detection and prevention must be the first line of defense. It is more likely for an organization to be hit by hackers than it is for staff to find USB drives in the parking lot.
  • Education on the need for IT security can only go so far. Extra layers of security — including technologies that validate and prove that the security systems function correctly — are an essential part of an efficient IT defense strategy.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.