March 2018
« Aug    

Cyberwar vs. The Humble USB Key

Hollywood may not make films about USB keys, but they’re probably your biggest information security threat

Given the choice between writing a special 12-page supplement about Cyberwar and trying to fill as many pages about the threat presented by the USB key, it is no surprise that the editors of The Economist chose the former. Hollywood does not make films about USB keys, because, like it or not, they are a bit boring. Boring does not sell newspapers, but since most of us are not in the business of selling newspapers, our focus ought to be on the biggest threats to our organizations.

It is common knowledge in retail that most shoplifting is done by employees – not strangers. Much the same is true for data-losses and IT-security breaches. Employees leaving for other jobs take privileged information with them. Forgetful types write their passwords down in obvious places. And awkward security procedures prompt people to maintain local, often very insecure, copies of information – on USB keys for instance.

Ease of Use vs. Security

Security exists to enable the organization to do what it does safely, but all the rules in the world will not protect your systems from your users if they are careless or willfully circumvent your systems. Codewords and secure connections help keep outsiders outside, but neither protects your data once your users successfully log onto your network.

You can do a lot to structure your information by compartmentalizing it and restricting access, but this requires active management and it does not prevent the information for being stored in other places either accidentally or not. However, you also need to protect yourself against all of the bugs and worse that you users bring with them into your systems.

The threats outside your network know that most of the efforts to stop them focus on outsiders trying to access your networks, so many of them rely on your users. Social engineering is one term for it and it is not limited to letters from Nigeria promising riches. Viruses and the like can use USB-keys as physical Trojan horses to get past your security measures. Users forget the threat the storage devices present and seldom think twice about where they use them. They are so convenient that your users unthinkingly accept the risk.

The Role of the Humble USB-Key 

The accidental virus transporter is often a double-victim. They have been used obviously by the hacker. Your users may also be victims of your IT-systems and your security policies. The fact is that many firms make it so hard to get data out of their systems, that users are often left no alternative, but to rely on tools like USB-keys.

Slow data retrieval and cumbersome systems often do not take into account the needs of the user, whose customers are often not willing to wait while yet another password is entered or a slow server looks for an answer. The local, insecure file or database is almost always a violation of company policy, while being a necessity for fulfilling another – like good customer service or short deadlines. 

The Beatles, Dandruff, Cyberterrorism, and You

Back in the day, the Beatles were asked whether the atom bomb or dandruff presented the biggest threat to their careers. Their famously replied the atom bomb, because they already had dandruff. A lot of information security specialists like talking about threats like Cyberwar, because the source of the threat is a long way away, and because others are much closer.

The Beatles could not do much about the prospects of nuclear war and you are not going to be able to stop either the Chinese Government’s supposed Cyberterrorists or end the scourge of the Russian Internet Mafia syndicates. The Beatles could have and probably did manage their dandruff problem with a quick trip to the supermarket and you can do a lot for your cybersecurity, or whatever sexed up name you want to give it, by focusing on the threats that are nearby – and that you can do something about.

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>