IT security professionals break USB stick virus rules

Most IT security professionals polled at RSA Conference 2013 admitted to picking up and plugging in USB flash drives they found lying around

More than three-quarters of IT security professionals polled at RSA Conference 2013 admitted to picking up and plugging in USB flash drives they found abandoned or lying around. 

That is despite the fact that most security experts warn that unknown USB sticks often contain malware that could infect corporate networks and lead to the loss of valuable data.

More than 68% of respondents had been involved in a security breach at home or work with many involving USB sticks, according to the survey conducted by South Korean security company AhnLab.

The results are shocking, particularly in the light of the fact that Stuxnet gained access to its target system through a “found” USB stick, said Brian Laing, vice-present of business development at AhnLab US.  

“The creators of the malware left infected USB drives near a uranium enrichment facility and someone picked it up and inserted into their PC,” Laing said.

In August 2010, US defence officials admitted that malware on a USB stick significantly compromised classified Pentagon computers in 2008.

Read more about infected USB sticks

Writing in Foreign Affairs journal, US deputy secretary of defense William Lynn said the attack began when an infected USB drive was put into a US military laptop at a Middle East base.

More recently, the US Computer Emergency Readiness Team (Cert) revealed that two US power plants had been infected through USB sticks being connected to critical IT systems.

“I urge IT security professionals to begin practicing what they preach,” said Laing. 

“It really does come down to the old mantra of combining people, process and technology – if you can get all three elements right, you are on track to a safe and secure environment.”

Underlining the importance of security awareness, a recent study by anti-phishing training provider Phishme found nearly 60% of UK office workers receive phishing emails every day.

Through tracking the responses of more than 3.8 million users, Phishme  found around 60% of people will fall for a phish if they have never been trained to recognise the signs.

The firm has shown that user education is essential in adding "human sensors" to an organisation’s security infrastructure to improve overall security.

Read more on Security policy and user awareness