Curiosity versus network security: and the winner is?

Think your workforce is buttoned-down when it comes to network security? After all, your employees probably have signed an “end-user computing agreement.” Upon threat of job loss, they’d never open a .exe file from an unknown source, or insert a CD or plug in an external drive to a networked company computer, right? Wrong!

In a new twist on social engineering (obtaining confidential information by manipulation of legitimate users), an IT security firm hired by a financial institution set out to test the vulnerability of the human-nature side of network security.

As reported in a June 7th article on the online IT security site Dark Reading, even though this credit union’s workforce had been tipped off that a security test was planned, some employees were foiled thanks to their own curiosity when they came across 20 cheap USB flash drives, which the testing security firm tossed around in the credit union’s parking lot, smoking area and other common areas prior to the start of work.

In short order, 15 out of the 20 flash drives were discovered by employees. In turn, these employees promptly plugged the drives into their credit union’s computers and clicked on unknown files, activating the trojan code. Consequently, over the next three days, the security firm began collecting passwords, logins and machine-specific data, all conveniently emailed from the credit union to the testers.

According to Steve Stasiukonis, VP and founder of the firm conducting the test, “this little giveaway took [it] a step further, working off humans’ innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites.”

Let’s be careful out there: Don’t let curiosity kill your network security.