What we should really learn from recent USB ‘drive-by dropping’ episodes is that people with piqued curiosities – even good, honest, tax-paying folks – will not hesitate to commandeer, inspect and thereby compromise the security of your confidential data if it can be easily accessed via a USB flash drive…
It’s time, folks, to put recent events in perspective.
By now, you have all read the recent Bloomberg story about the USB thumb drive ‘security tests’ conducted by the US Department of Homeland Security (DHS), and you’ve probably seen the report of a similar, flash stick ‘drive-by dropping’ scenario carried out in Western Australia.
In both cases, discs and USB flash sticks were dropped randomly in the parking lots of government facilities and private contractors in what were, ostensibly, attempts to, in each case, gauge the strength of network security and to eventually convert test data into updated, and more stringent, policies, procedures and regulations.
Eight Out of Fifteen Failed
The results were not shocking in the least (not to us, anyway). In the Western Australian test, eight out of the fifteen agencies involved in the test failed, as members of their staff picked up the USB devices and plugged them into their work computers – giving the devices access to said agency’s network. In the DHS test, 60 percent of the USB devices were picked up and plugged into the computers of government agencies and private contractors – and of drives emblazoned with an official logo, 90 percent were connected to USB ports.
The upshot of all of this has been a veritable maelstrom of reaction from IT security wizards near and far. On one end there was CSC’s Director of Network Security, Mark Rasch, telling Bloomberg,
“There’s no device known to mankind that will prevent people from being idiots.”
And then, on the other end of the spectrum, it was American cryptographer and BT Chief of Security Bruce Schneier spouting off.
Schneier – once labeled a “Security Guru” by The Economist (and who was once quoted saying, “Data is the pollution problem of the Information Age”) – posted a blog in which he put the blame away from human idiocy and squarely on the shoulders of operating systems for flippantly engaging certain types of media.
“Of course people plugged in USB sticks and computer disks,” Schneier wrote. “It’s like ’75 percent of people who picked up a discarded newspaper on the bus read it.’ What else are people supposed to do with them?”
Schneier’s post has, to date, garnered more than 150 comments – most of which find interested parties taking either one side or the other. But, more important than assigning a scapegoat (Human vs. OS) or playing a fun (and most unproductive) game called “Masters of the Obvious,” we here at BlockMaster think it is important to get to the real crux of the matter.
Separating the wheat from the chaff…
There’s a saying that my old granddad used to use quite often, and I’ll never forget it…
“I trust you…but cut the cards.”
I might have a housekeeper who has been with my family for 20 years. I might trust, implicitly, said housekeeper with the safety and sustenance of my children; I might depend on her to ensure overall household safety; I might even list her as my second emergency contact person in the event of an accident or emergency situation…
That said, I don’t leave my personal desk drawer (the one with all my valuables, personal items and confidential information) unlocked when she is around, do I?
Of course I don’t.
And it is not because I think she is a bad person, or that she is untrustworthy, per se. It goes back to what granddad used to say. Even though I trust her, I also know she is human being. And I know that people are curious. They like to look at things they are not supposed to look at and they will, without a doubt, do so if they feel they can get away with it. Therefore (and forgive me, trusted housekeeper), please don’t be offended when you try to open my personal drawer and find it locked tight. That is just my way of asking you to ‘cut the cards.’
‘Drive-by droppings,’ put in perspective
It’s all fun and games to enter a discussion forum regarding this debate and take a side. Maybe it is even more fun for some wannabes to have the rare chance to poke holes into the arguments of trusted, credible and highly-knowledgeable authorities on network security.
But, for those of us most concerned with real-time (and real-world) implications, there is something greater to be learned from all of this. It is that, quite simply, people – due to some unknown force of nature – will look at things they are not supposed to look at, whether they feel they can get away with it or not. And we are talking about good people, mind you. We are talking about professional employees of highly-regarded organizations; we are talking about sweet-faced housekeepers and tax-payers (not to mention what bad folks might have in mind for you and your data, if they had the chance)…
If someone finds your USB device, they are going to take home the USB device. Then they will plug it in. Then they will look at the contents. Not because they are idiots, but because they are people…
If you leave your personal drawer unlocked, even your trusted housekeeper is going to look inside.
Loaded, but still locked and secure…
Let us take a minute to remind you that one of the most important steps you can take, when dealing with the security of your data, is to ensure that proper policies and procedures are in place within your organization.
Perhaps even more important, know that the flash drives used by your employees are without a doubt important business tools in terms of productivity and convenience. But, by the same token, when they are lost or misplaced, someone is going to find them and they are going to attempt to access the information within.
Forget about drive-by droppings, the DHS, Schneier and everything else for a moment…and keep this in mind: With SafeConsoleReady secure USB flash drives, your confidential data is protected with encryption and password strength.
No matter where they are lost.
No matter who finds them.
No matter how hard they try to access your data.
And adding SafeConsole central management and the addition Device Lockout means that the organization gets complete visibility, control over what drives are used and how they are used. And you can actually keep end-users happy through all of these. And everyone can go on being their own wonderful curious selves. It is just that your organization and your data won’t be at risk anymore.