Digital Version of November/December 2014 Print Edition
USB ploy by DHS exposes curiosity as security flaw
Jevans: employees are
What would you do if you found a USB stick in your office parking lot on the way to your cubicle in the morning? Would you pick it up? Would you plug it into your computer?
Looking for some answers to those questions, the U.S. Department of Homeland Security ran a little experiment. It sprinkled computer discs and USB sticks — some labeled with a logo, some without — in the parking lots of government buildings and those of private contractors and waited to see what would happen.
It found that 60 percent of the people who picked up the media plugged them into their computers. For the media labeled with logos, the percentage was even higher — 90 percent.
"That tells a criminal how to infiltrate a government network," Dave Jevans, chairman of IronKey in Sunnyvale, CA, told Government Security News. "The last time I checked. Criminals can read."
"For one or two hundred dollars, I can pay a high school kid to sprinkle some infected USB drives in the parking lot of the Pentagon and other places and nine out of 10 times some guy is going to plug it in," he observed. "I don't have to worry about your firewall, your IDS [Intrusion Detection System], your IPS [Intrusion Protection System] or any of that stuff."
"You could have spent $50 million securing your network," he continued, "and I could penetrate it by spending $200."
The seeding a parking lot trick is a low rent tactic compared to what's being done by more sophisticated cyber bandits. "We've seen manufacturing plants compromised, where malware is being installed on drives before they leave the factory," said Jevans, whose company protects against credential stealing malware used by criminals, terrorists, and rogue nations that pose a threat to government data.
Without a doubt, the end user is one of the most vulnerable points in a security scheme, he maintained. "There are a great many ways to socially engineer users," he explained, but the free USB ploy seems to be a particularly effective one. He recalled a bank conducting an experiment similar to the DHS one, with similar results.
"The results of experiments like this are something we should all be thinking about," he advised. "When people want to break into our networks, they're going to do it through our employees. They're not going to do it by crashing our firewalls or breaking our IPS's. They're going to do it by tricking our employees."
A full report on its security experiment is expected to be released later this year by the department, according to Bloomberg.