Users Really Do Plug in USB Drives They Find
08.04.2015 - by john Clough
Been suspecting that your users are plugging in any USB stick they find, to see what is on it? Well, you are right, they actually do that. Fresh scientific research by Google, and the Universities of Illinois and Michigan showed a 45% - 98% failure rate with 297 USB drives that were left at different times and locations at a University campus, the fastest time that someone plugged one in was 6 minutes after it was dropped.
Different types of USB drives were tested, some with labels on it, and some with keys attached. The research showed that this did not make a big difference. The actual problem of people plugging in USB drives is that they want to find out who lost it, and are trying to help. This altruistic intention to help is what social engineering exploits, although the researchers noted "that nearly half of users are overtaken by curiosity, first opening vacation photos instead of the prominently placed résumé (which would have reasonably included contact information).
In their conclusion the researchers confirm what has been known for years in the pentesting community; this evidence is a reminder that less technical attacks remain a real-world threat if for some reason you are not able to disable autorun, autoplay and/or auto-mount of anything connecting to a USB slot, which for instance is hard to do on laptops.
This problem is what security awareness training can effectively manage, if employees are trained with both web-based training sessions explaining the dangers of plugging in USB drives, and with actual simulations like the KnowBe4's USB tests.
USB Drive Test™ - release April 11, 2016 - allows you to test your user’s reactions to unknown USBs. You can download a special, "beaconized" Microsoft Office file from your KnowBe4 admin console onto any USB drive which you can drop at an on-site high traffic area. If an employee picks up the USB drive, plugs it in their workstation, and opens the file, it will "call home" and report the fail. Should a user also enable the macros in the file, then additional data is also tracked and made available in the admin console.
For more information contact John Clough on 023 8081 2888 or at email@example.com.
Category : Information - security