The thumb drive has long been a weak spot in the overall security landscape. As usual, the problem has a very human face: There is a raft of good policies in place to protect companies from losing data – or gaining viruses and assorted pieces of malware – from USB flash drives. Unfortunately, people are not paying attention. Even IT professionals are not eating their own cooking when it comes to USB security, according to CIO Insight:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iIn a recent study of 300 IT professionals—many of whom are security experts—conducted at the RSA Conference 2013, 78% admitted to having plugged in a USB flash drive that they’d found lying around. To make matters worse, much of the data discovered on those drives included viruses, rootkits and bot executables.
The story offers a bit of comic relief: The U.S. Department of Homeland Security ran a test in which staffers dropped flash drives in the parking lot of government and contractor buildings. Sixty percent of folks who picked them up simply plugged them into networked computers. That percentage jumped to 90 percent if the drive had an official logo.
The problems don’t stop with parking lots. Reuters reports that the Pentagon has good policies in place but, apparently, getting permission to not follow the security policies is easy. Exceptions “possibly numbering in the thousands” are granted allowing use of flash drives and related technologies on secure networks. The government’s rationale includes such bromides as that exceptions are only granted to people whose device security software is up to date and that the exceptions are necessary for the system to function.
There is nothing new in the danger of thumb drives or the fact that policies often look good on paper but fail due to the humans that carry them out. The Edward Snowden situation has shined a new light on the thumb drive vulnerability. ZDNet’s Zack Whittaker, in response to the Reuters story, pointed out that Snowden hardly did anything new. Bradley Manning was arrested more than three years ago and charged with doing much the same thing. Whittaker writes that there has been a crackdown since Manning, but that it is not enough.
The Snowden affair raises a lot of questions, some which are discussed at Legal Insurrection. Mandy Nagy notes that Snowden was an employee of Booz Allen Hamilton, but that the contractor was found to be innocent of any wrongdoing. Nagy says that NSA Director Keith Alexander said that steps will be taken, such as limiting use of thumb drives, not allowing access to server rooms by unaccompanied people and encrypting data. She wonders why those steps have not yet been taken.
In the big picture, whether Snowden worked directly for the government – as Manning did – or a third party is beside the point. The biggest takeaway is that policies may not be strong enough to truly protect critical data and, even if they are, the human element – the innate curiosity (or nosiness) to stick a thumb drive found in a parking lot into a networked government computer – is cause for us all to worry.