April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

USB ploy by DHS exposes curiosity as security flaw

Jevans: employees are
attack vector

What would you do if you found a USB stick in your office parking lot on the way to your cubicle in the morning? Would you pick it up? Would you plug it into your computer?

Looking for some answers to those questions, the U.S. Department of Homeland Security ran a little experiment. It sprinkled computer discs and USB sticks — some labeled with a logo, some without — in the parking lots of government buildings and those of private contractors and waited to see what would happen.

It found that 60 percent of the people who picked up the media plugged them into their computers. For the media labeled with logos, the percentage was even higher — 90 percent.

"That tells a criminal how to infiltrate a government network," Dave Jevans, chairman of IronKey in Sunnyvale, CA, told Government Security News. "The last time I checked. Criminals can read."

"For one or two hundred dollars, I can pay a high school kid to sprinkle some infected USB drives in the parking lot of the Pentagon and other places and nine out of 10 times some guy is going to plug it in," he observed. "I don't have to worry about your firewall, your IDS [Intrusion Detection System], your IPS [Intrusion Protection System] or any of that stuff."

"You could have spent $50 million securing your network," he continued, "and I could penetrate it by spending $200."

The seeding a parking lot trick is a low rent tactic compared to what's being done by more sophisticated cyber bandits. "We've seen manufacturing plants compromised, where malware is being installed on drives before they leave the factory," said Jevans, whose company protects against credential stealing malware used by criminals, terrorists, and rogue nations that pose a threat to government data.

Without a doubt, the end user is one of the most vulnerable points in a security scheme, he maintained. "There are a great many ways to socially engineer users," he explained, but the free USB ploy seems to be a particularly effective one.  He recalled a bank conducting an experiment similar to the DHS one, with similar results.

"The results of experiments like this are something we should all be thinking about," he advised. "When people want to break into our networks, they're going to do it through our employees. They're not going to do it by crashing our firewalls or breaking our IPS's. They're going to do it by tricking our employees."

A full report on its security experiment is expected to be released later this year by the department, according to Bloomberg.


Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...