Kaspersky Lab’s senior security researcher, David Jacoby, went undercover to put businesses to the test. Dressed in a smart suit and armed with a USB containing a PDF of his resume, David approached front desk staff at 11 organisations (three hotels from different chains, six government organisations and two largely privately owned companies) asking them if they could attach his device and print off the document he needed.
The USB did not contain any vulnerabilities or exploits. It simply had a PDF of David’s CV on it, that’s it. The goal was to visit as many government institutions, hotels and large privately-owned companies as possible and ask them if they could help print the document because David had “left his papers at home and don’t want to arrive at his appointment unprepared”. The interview was not even with anyone from the same company he was visiting.
Only one hotel allowed David to insert the USB stick in their computer. However, even in this case the system administrator had actually disabled the USB port. Clever and a good protection against the human element. But service staff are there because they are service-minded and ready to help; and the receptionist told David to use another computer that was for guests and then to email her the PDF file. We don’t know if this is considered as a “Win” or “Fail”, but she did print the PDF, providing ample scope for any attack that exploits vulnerabilities in PDF software.
Two of the hotels did not allow David to connect his USB stick to their computer, but they both had corporate ethernet ports placed around the hotel – and actually with DHCP enabled. The privately-owned companies had the same security as the hotels. One of the two companies visited did put the USB stick in their computer, to find out that the USB port was disabled. At this point she did not ask David to email the file, but she actually went upstairs to insert the USB stick in another computer. Again, a success for technical security thwarted by the friendly front our orga- nizations present to the world. Now for the governmental institutions and organisations David visited. These types of organizations were varied. Some more or less kicked him out saying, “This is not a library”. But some were very helpful. Out of the six organizations/institutions visited, four actually did help by inserting the USB stick in the computer. Two wanted to help, but the USB port was disabled so they asked David to send his CV via email instead.
The IT security firm points to bad security practice, misconfigured security devices and a lack of staff security training.
Recap
Four out of six government organisations inserted the USB, despite their access to confidential citizen information, while only one out of three hotels agreed to connect David’s stick to their computer and both privately owned companies declined. He argues that businesses are repeatedly putting themselves at risk of security breaches, simply down to staff error. Such a simple mistake can have huge, detrimental effects on an organisation if a cyber criminal were to gain access to all its data.
You can read the report from the social experiment, including supporting research – at http://www.securelist.com/en/downloads/vlpdfs/exposing_the_security_weaknesses_we_tend_to_overlook.pdf
