www.fgks.org   »   [go: up one dir, main page]

What is your e-mail address?
My e-mail address is:

Do you have a password?
Forgot your password? Click here
close

Found thumb drives: another way employees are a security menace

DHS test plants storage devices in parking lots; most people plug them into the nework

Most people wouldn’t eat food they found laying in a parking lot, even if it was sealed, nor would they put on a hat or a pair of gloves they found on the ground. But it seems many aren’t so picky when it comes to data storage devices.

A recent penetration test by the Homeland Security Department highlighted a glaring weakness that keeps security professionals up at night. DHS staff deliberately dropped data disks and USB flash drives in federal agency and contractor parking lots. According to Idappcom, a network security firm, 60 percent of those planted data devices, which could easily hold malicious code, were inserted into company or agency computers.

And if the data device had an official logo, the “success rate” for it being inserted into an organization’s network rose to 90 percent.

“There is no device known to mankind that prevents people from being idiots,” said Ray Bryant, Idappcom’s CEO.

Related coverage:

To defeat phishing, Energy learns to phish

An obvious conclusion of the DHS test is that humans will always be the weakest part of an agency’s security architecture. Because of the potential for human error, mistakes and downright stupidity, organizations can’t just rely on firewalls and other IT security systems.

The key defense for many security issues is education, Bryant said. Besides explaining to employees the reasons why security procedures are in place, organizations need to back it up with a multilayered approach consisting of regular reviews of the network security architecture and a schedule of audits and penetration tests. In the case of found disks and drives, employees should know that they can harbor and distribute malware.

“If employees are allowed to feel that ‘manual’ security is a game, then that will spread to the actual security practices employed in protecting networks,” he said.

Changing an organization’s culture is another way to instill security consciousness. One approach is to get various stakeholders to buy into the new process. That involves promoting an understanding of why a given set of security rules are in place and how detrimental it can be if those rules are forgotten. Once that process is understood and accepted, an organization’s security posture can be raised significantly at little or no extra cost, Bryant said.

Security awareness must be stressed at all levels of the organization, with the understanding from the top down that security is strategic to the enterprise and good for overall governance, he said. Security should not be seen as just another cost center. Key leaders, such as chief information security officers, should appoint designated champions to promote security within an agency or company hierarchy, he added.

Although they are not a panacea, automated testing systems can at least help detect security breaches. Regularly scheduled tests ensure that fixes have been applied and no new vulnerabilities have been introduced, Bryant said. Post-test meetings can also offer clear guidance for remediation.

But technical solutions can only go so far. CIOs can ensure additional security and sleep a bit more easily at night if they stress security education. “Education is not just about the mechanics,” Bryant said. "It has to be instilled as good business practice, it has to be a cultural change and raised beyond the news of the day."

Based on the results of DHS' test, Bryant offers CIOs this advice:

  • Don’t get sidetracked from other security measures. This story is as much sensational as it was staged. Look at all the other serious security hacks in the past few months, and don’t get distracted from the real threats.
  • Intrusion detection and prevention must be the first line of defense. It is more likely for an organization to be hit by hackers than it is for staff to find USB drives in the parking lot.
  • Education on the need for IT security can only go so far. Extra layers of security — including technologies that validate and prove that the security systems function correctly — are an essential part of an efficient IT defense strategy.

About the Author

Henry Kenyon is a staff reporter covering enterprise applications.

Related Articles

Reader Comments

Tue, Jul 5, 2011

The terrorists have won--plugging removable media into computers is now considered a security violation!

Think about it---the real issue is with the sad state of the infrastructure, where the run-of-the-mill Windows box is vulnerable to this type of 'attack'.

Tue, Jul 5, 2011 DOD INSCOM

DOD has restricted the use of ThumbDrives in government CPU's. very good idea. no thumbdrive no problem

Tue, Jul 5, 2011 mercdragon Washington, DC

Et Al, Le gullotine, ahhhhh, mais oui ... Training says many things, few of them put forward a straight policy toward the question at hand. An unrealistic test procedure without a proper response. You find a disc (cd/dvd), or a thumbdrive in a parking lot, DO NOT PLUG IT IN TO AN INTERNAL SYSTEM. Turn it in to the security desk and let them turn it over to IT for possible return to owner. A legitimate loss will be looked for by it's owner. KISS Principal. Y'all take care and be safe pfb

Tue, Jul 5, 2011 BSL

Consider that security training is a mandatory annual requirement, and that it was not affective. How many of the thumb drives were turned into IT security for analysis? Do the users believe that the machines are protected from anything that might be on the drive? Applying the term "idiots" to the personnel who accessed the drives wasn't accurate, but it doesn't excuse an act of stupidity. All of them know that they're not supposed to do this, and yet they did it anyway.

Tue, Jul 5, 2011 Som Karamchetty Potomac, MD

Our patent (7,010,647) “Computer system with removable data storage device and method” assigned to Secretary of the Army was specifically intended to avoid such security risks. Removable hard drives and other devices (such as USB’s) are routinely used in classified environments also. Several years ago, about the same time when classified disks with nuclear secrets were lost from a DOE lab, we offered this invention to DOE for further development. Their response was, “We want a ready solution, “yesterday.” In response to commenter, who says, “… DOE you cannot get into the parking lot without a DOE badge or demonstrating that you have business here …” Many contractors and contract workers without security clearances do get to the parking lots to work on the lawns, trees, roads, and so on. Yes, most of them are highly trustworthy.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Related Podcasts

Related Webcasts

Related White Papers

More Resources

GCN eNewsletters

Editorial Webcasts

  • Transforming Military Logistics with Defense Analytics

    Business analytics is the “information transformer” for the Air Force enterprise, bringing relevant data together to improve timeliness, effectiveness, and accuracy of decisions and decision-making. Register now for this free webcast to learn how business analytics can help your organization increase the speed of decision making, the effectiveness of analysis, and validation of results Read more

More Editorial Webcasts