During the last decade a lot of money has been spent trying to protect information systems. Firewalls, intrusion detection systems, two-factor authentication and other technical controls sometimes make good business sense when applied as part of comprehensive security program. But what we’re not good at yet is the human firewall.
Scott Wright, an Ottawa-based security consultant and publisher of securityviews.com explained,
“Despite having spent 12 years working with constantly improving security technologies, I’ve seen an increasing trend toward generally greater risk and losses to businesses and home computer users. All signs point to the human factors as being the weakest link. It doesn’t matter how well you make the valve in a rubber tire to keep the air in, if the rubber is not consistently good quality, it can be easily punctured. So, I felt that it was important to start working on this problem in an innovative way that had a chance of making a difference in effecting cultural change across an entire organization.”
In addition to speaking and writing on security awareness, Wright also conducted some interesting research:
“The Honey Stick Project was originally devised as a way to gather data about how well people handled a simulated risk scenario – that of an infected USB Flash Drive. Because these devices can contain targeted threats or viruses that can evade common anti-virus programs, people should not plug unidentified USB drives they find in public locations into their computers at work or at home. In fact, it’s a good idea to only use your own device, and not share it with other people, to reduce the risk of infection.
The devices contain simple and safe HTML files with no active programs. I rely on people simply double-clicking on a file when the device is plugged into their computer to load the file. As long as they are connected to the Internet, and the user hasn’t taken any precautions to prevent the the browser from starting, an event is logged at my web server. After deploying 50 devices in places like Ottawa, Toronto, Tremblant and Las Vegas, over 60% of them have been used, which indicates that the finder didn’t do anything to prevent their computer from becoming infected. This tells me that at least 60% of the people who find these devices make poor risk decisions that could result in their home or office computer becoming infected with a virus or botnet.”
Perhaps it’s time we put more emphasis on security awareness training?
kingthorin
I don’t think he’s made a fair assessment. Just because someone accessed a file on the drive does not necessarily mean that they were operating in an environment he could infect/exploit.
What if they’d been operating from a Linux LiveCD which specifically didn’t mount local harddrives? Pretty safe.
What if autoplay was disabled for USB devices and they used FireFox w/ NoScript as their default browser? So they purposely launched a HTML file without allowing any active content big deal.
Granted these are all big “what if” scenarios and it’s likely that a huge percentage of his test cases were people using IE on Windows but it’s still a big assumption and the test or results as quoted here are lacking potentially important details.
Is the original article posted on Scott’s site somewhere? I looked quickly but didn’t see it.
Eric Jacksch
The quotes are from an interview with Scott and some info he emailed me. Hopefully he’ll chime in here.
It is possible that some of the USB sticks were ‘tested’ by security pros, but I’d willing to bet that most were by people who just shoved them into their machine and opened the files.
Scott Wright
You’re absolutely right that there are going to be exceptions which could skew the results. When I started the project I was expecting that the results would be significant if over 20% of the devices got used. But we’re up to 60% now. It’s starting to validate data from places like the Ponemon Institute that indicates up to 80% of data breaches result from insider actions (accidental or malicious).
Yes, we can argue the finer points. In the big picture, however, how confident would you be in one of your staff making the right decision when they face a real high-risk scenario?
FYI – There are a number of other articles I’ve written at http:/www.honeystickproject.com which is now part of my security awareness site, The Streetwise Security Zone.
I do invite comments. I get lots from IT people who often argue the same points as above. What’s missing is the business manager’s perspective. Most of them don’t know the risks because the IT managers are too busy to explain, or can’t put them into terms that business management understands. The first step is starting a discussion about the risks, with whatever data grabs their attention. The Honey Stick Project seems to be a good topic for many in this respect.
kingthorin
Hey Eric/Scott, it wasn’t my intention to fault the concept behind the test, overall I agree it’s a great starting point for discussions. As I said it is likely that the majority of the tests users did in fact end up being IE/Windows. However, if possible it would be nice to see at least the User-agent breakdown of the associated web logs, even if it’s only used as further ammunition to suppress (or further engage) any naysayers.
Evolving Squid
The test also doesn’t allow for teh fact that someone finding the files may well have looked at them in an editor and chose to click the HTML, realizing that they were effectively safe.
This is probably what I would have done before wiping the thing.
Eric Jacksch
Even if you assume that 5% of the people had the technical skills and motiviation to check it out and then view the file, that still wouldn’t change the fact that over half of the things were viewed. It points to a security awareness education problem, and that’s all that Scott is trying to show.