You’d think that IT professionals would know better, but no, if they find a thumb drive lying in a parking lot, they’ll plug it into their network reports Paul Hyman for CIO Insight:
Savvy CIOs have policies in place to protect their networks against infected USB flash drives. That’s because most IT professionals know the amount of damage that can be caused by plugging in such a device.
For instance, Stuxnet, one of the world’s most sophisticated cyberweapons, is said to have gained access to its target system through a USB drive that someone found.
Yet having policies—and making sure they are followed—can be two very different things.
In a recent study of 300 IT professionals—many of whom are security experts—conducted at the RSA Conference 2013, 78% admitted to having plugged in a USB flash drive that they’d found lying around. To make matters worse, much of the data discovered on those drives included viruses, rootkits and bot executables.
Similarly, the U.S. Department of Homeland Security ran a test to see how hard it would be for hackers to gain access to computer systems. Staffers secretly dropped USB flash drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60% plugged the drives into office computers, apparently curious to see their content. If the drive had an official logo, 90% were installed.
“Even with the knowledge of the potential outcome, curiosity can indeed kill the cat,” says Brian Laing, a security entrepreneur who had been a vice president at AhnLab, the IT security vendor which conducted the RSA Conference survey. “Policies are useful, but without enforcement, they are not a successful measure,” he adds.
In addition to infecting systems, USB flash drives—which have become the floppy disk of the modern era—are a particularly effective tool for sharing files and thereby stealing data and trade secrets.
An earlier survey of 743 IT and information security pros conducted by Ponemon Institute revealed that 70% have traced the loss of sensitive or confidential information to USB flash drives.
Indeed, whistleblower Edward Snowden reportedly used a USB flash drive to smuggle files out of the National Security Agency (NSA) despite policies against using the devices.
“The NSA could have installed USB port-blocking software to restrict and track usage of USB-connected devices,” says David Jevans, chairman of Marble Security and the Anti-Phishing Work Group (APWG). “Despite the NSA’s having a policy of not allowing these devices, they didn’t have the security software installed to prevent it or to restrict usage to secure devices.”…
[continues at CIO Insight]