DHS tests show security's people problem

Study says government workers installed USB drives found in parking lots; readily gave passwords to faux support personnel

It was widely reported last week that as part of a study, the U.S. Department of Homeland Security (DHS) randomly dropped USB and optical drives in government and private contractor parking lots -- and more than half of those who picked one up readily plugged it into their work computer.

Bloomberg News reported that 60% of those workers and contractors who picked up the drives plugged them into office computers. The report also said that 90% of picked-up drives stamped with official government logos were plugged in.

The DHS this week refuted the news reports, and added that statements that it would publish a report this year on the study were false. A DHS spokesman confirmed that studies were conducted by the Idaho National Laboratory over the past year. A primary study found that 20% of employees who picked up a drive plugged them into work computers -- not 60% as had been reported. Only 2% of employees who picked up a drive in a follow-up study plugged it into an office computer.

Whatever the results, the studies are a reminder that more often than not, an employee not observing sound practices is at the heart of any security breach.

For instance, experts say employees should pick up dropped drives -- and turn it into a corporate or agency security officer or reasonable facsimile rather than install it on their computers.

"If you've got a thumb drive sitting in parking lot, you've got to wonder: did another employees drop this? By picking it up, you prevent data loss," said Mark Rasch, director of network security and privacy consulting for Computer Sciences Corp. (CSC).

According to the DHS spokesman, researchers from the Idaho National Laboratory left 50 infected USB thumb drives in parking lots, around picnic tables, and on sidewalks.

Once plugged into a computer, the flash drives would "call home," allowing the researchers to take count of how many were used.

The researchers also delivered phishing emails to workers and counted how many users clicked on the fake URL, and placed calls from purported tech support people seeking passwords.

The results of the study were eye-opening: twenty percent of retrieved thumb drives were plugged in; 22% of employees clicked on a URL in the phishing email; and a whopping 40% of employees provided passwords to the IT support imposter.

Following an initial test, employees attended security training sessions.

Then a year after completing the first study, the researchers tried again. For the most part, the results of the second test were disappointing.

On a positive note, only 2% of those who picked up an infected USB drive installed in on a computer.

However, 21% of employees were fooled by the phishing email -- just 1% less than in the initial test. Worse, the percentage of employees who provided passwords to fake IT support personnel climbed from 40% to 43%.

Rasch, who once ran the U.S. Justice Department's computer crime unit, said chief security officers need to take a three-pronged approach to security that includes training, creating processes and installing technology.

Employees need to first understand the possible consequences of ignoring security threats. Agencies and companies must provide a process for reporting threats and technologies that can be used to thwart them.

Rasch also suggested that organizations use a carrot and stick approach to incent employees to follow security measures. For example, there should be a punishment imposed for plugging an infected USB drive into a business computer. Likewise, employees who turn in an infected drive should be rewarded.

"The point is that while education helps, it's not going to solve the problem. There will always be someone who doesn't get the message, or someone who will do [wrong] despite getting the message," Rasch said.

"And training often has short staying power," he added. "Someone may remember one particular threat, but they may not pick up on a slightly different one."

Overall, though, Rasch believes hackers pose the biggest security threat to governments and corporations.

For instance, to get employees to pick up infected thumb drives, a cybercrook has to be brazen enough to walk or drive through a parking lot that likely has security cameras. Then at least one employee must find the drive and decide to use it.

"That's difficult to do from 1,200 miles away, unlike hacking," Rasch said.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian , or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancestoragesecurityhardware systemsData Center

More about BloombergCSC AustraliaetworkTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place