SecuriMind

According to Bloomberg, The U.S. Department of Homeland Security tested government staff to see if they would pick-up and use CDs and USB sticks found in the parking lot. The result was of course bad, 60% of the people plugged in the found media in the office computer, 90% was plugged in if the media was branded with the official logo. This is no surprise, but of course shocking for IT-security personnel.

Bruce Schneier commented on this, by saying that the problem is not the people, it is the USB sticks. "Quit blaming the victim" Schneier says. I am bound to agree with Schneier.

The tests, conducted by The U.S. Department of Homeland Security, shows that IT-security policies is not enough. IT-security policies can dictate any demands but the users must be supported in their security awareness.

Creating security awareness is a hard thing to do. The users must be aided in a technical way. Blocking all insecure USB-sticks and only allowing e.g. encrypted sticks or SecuriRAM, can be one way to get through to the users and saying: -Insecure USB sticks are dangerous stuff, don’t use them, and don’t touch them.

Below you will see my short-list of how to support your users and to improve USB stick security.

• Educate the personnel of the risks with USB sticks
• Block auto start and U3
• Update the operating system as soon as the security patches are released
• Keep the virus protection updated
• Use a USB port blocking software and allow only known USB sticks (white listing)
• Keep track of the USB sticks, remove lost USB sticks from white list
• Use secure USB sticks e.g. encrypted sticks or SecuriRAM