Found thumb drives: another way employees are a security menace
DHS test plants storage devices in parking lots; most people plug them into the nework
Most people wouldn’t eat food they found laying in a parking lot, even if it was sealed, nor would they put on a hat or a pair of gloves they found on the ground. But it seems many aren’t so picky when it comes to data storage devices.
A recent penetration test by the Homeland Security Department highlighted a glaring weakness that keeps security professionals up at night. DHS staff deliberately dropped data disks and USB flash drives in federal agency and contractor parking lots. According to Idappcom, a network security firm, 60 percent of those planted data devices, which could easily hold malicious code, were inserted into company or agency computers.
And if the data device had an official logo, the “success rate” for it being inserted into an organization’s network rose to 90 percent.
“There is no device known to mankind that prevents people from being idiots,” said Ray Bryant, Idappcom’s CEO.
Related coverage:
To defeat phishing, Energy learns to phish
An obvious conclusion of the DHS test is that humans will always be the
weakest part of an agency’s security architecture. Because of the
potential for human error, mistakes and downright stupidity,
organizations can’t just rely on firewalls and other IT security
systems.
The key defense for many security issues is education, Bryant said.
Besides explaining to employees the reasons why security procedures are
in place, organizations need to back it up with a multilayered approach
consisting of regular reviews of the network security architecture and a
schedule of audits and penetration tests. In the case of found disks
and drives, employees should know that they can harbor and distribute
malware.
“If employees are allowed to feel that ‘manual’ security is a game, then
that will spread to the actual security practices employed in
protecting networks,” he said.
Changing an organization’s culture is another way to instill security
consciousness. One approach is to get various stakeholders to buy into
the new process. That involves promoting an understanding of why a given
set of security rules are in place and how detrimental it can be if
those rules are forgotten. Once that process is understood and accepted,
an organization’s security posture can be raised significantly at
little or no extra cost, Bryant said.
Security awareness must be stressed at all levels of the organization,
with the understanding from the top down that security is strategic to
the enterprise and good for overall governance, he said. Security should
not be seen as just another cost center. Key leaders, such as chief
information security officers, should appoint designated champions to
promote security within an agency or company hierarchy, he added.
Although they are not a panacea, automated testing systems can at least
help detect security breaches. Regularly scheduled tests ensure that
fixes have been applied and no new vulnerabilities have been
introduced, Bryant said. Post-test meetings can also offer clear
guidance for remediation.
But technical solutions can only go so far. CIOs can ensure additional
security and sleep a bit more easily at night if they stress security
education. “Education is not just about the mechanics,” Bryant said. "It
has to be instilled as good business practice, it has to be a cultural
change and raised beyond the news of the day."
Based on the results of DHS' test, Bryant offers CIOs this advice:
- Don’t get sidetracked from other security measures. This story is
as much sensational as it was staged. Look at all the other serious
security hacks in the past few months, and don’t get distracted from the
real threats.
- Intrusion detection and prevention must be the first line of
defense. It is more likely for an organization to be hit by hackers than
it is for staff to find USB drives in the parking lot.
- Education on the need for IT security can only go so far. Extra
layers of security — including technologies that validate and prove that
the security systems function correctly — are an essential part of an
efficient IT defense strategy.
About the Author
Henry Kenyon is a staff reporter covering enterprise applications.