Found thumb drives: another way employees are a security menace

Most people wouldn’t eat food they found laying in a parking lot, even if it was sealed, nor would they put on a hat or a pair of gloves they found on the ground. But it seems many aren’t so picky when it comes to data storage devices.

A recent penetration test by the Homeland Security Department highlighted a glaring weakness that keeps security professionals up at night. DHS staff deliberately dropped data disks and USB flash drives in federal agency and contractor parking lots. According to Idappcom, a network security firm, 60 percent of those planted data devices, which could easily hold malicious code, were inserted into company or agency computers.

And if the data device had an official logo, the “success rate” for it being inserted into an organization’s network rose to 90 percent.

“There is no device known to mankind that prevents people from being idiots,” said Ray Bryant, Idappcom’s CEO.

Related coverage:

An obvious conclusion of the DHS test is that humans will always be the weakest part of an agency’s security architecture. Because of the potential for human error, mistakes and downright stupidity, organizations can’t just rely on firewalls and other IT security systems.

The key defense for many security issues is education, Bryant said. Besides explaining to employees the reasons why security procedures are in place, organizations need to back it up with a multilayered approach consisting of regular reviews of the network security architecture and a schedule of audits and penetration tests. In the case of found disks and drives, employees should know that they can harbor and distribute malware.

“If employees are allowed to feel that ‘manual’ security is a game, then that will spread to the actual security practices employed in protecting networks,” he said.

Changing an organization’s culture is another way to instill security consciousness. One approach is to get various stakeholders to buy into the new process. That involves promoting an understanding of why a given set of security rules are in place and how detrimental it can be if those rules are forgotten. Once that process is understood and accepted, an organization’s security posture can be raised significantly at little or no extra cost, Bryant said.

Security awareness must be stressed at all levels of the organization, with the understanding from the top down that security is strategic to the enterprise and good for overall governance, he said. Security should not be seen as just another cost center. Key leaders, such as chief information security officers, should appoint designated champions to promote security within an agency or company hierarchy, he added.

Although they are not a panacea, automated testing systems can at least help detect security breaches. Regularly scheduled tests ensure that fixes have been applied and no new vulnerabilities have been introduced, Bryant said. Post-test meetings can also offer clear guidance for remediation.

But technical solutions can only go so far. CIOs can ensure additional security and sleep a bit more easily at night if they stress security education. “Education is not just about the mechanics,” Bryant said. "It has to be instilled as good business practice, it has to be a cultural change and raised beyond the news of the day."

Based on the results of DHS' test, Bryant offers CIOs this advice:

• Don’t get sidetracked from other security measures. This story is as much sensational as it was staged. Look at all the other serious security hacks in the past few months, and don’t get distracted from the real threats.
  
• Intrusion detection and prevention must be the first line of defense. It is more likely for an organization to be hit by hackers than it is for staff to find USB drives in the parking lot.
  
• Education on the need for IT security can only go so far. Extra layers of security — including technologies that validate and prove that the security systems function correctly — are an essential part of an efficient IT defense strategy.