It’s not often that I disagree with Bruce Schneier, one of the leading lights of the security world… however, I do have a teensy weensy bone to pick with him regarding one of his recent blog postings. A recent test conducted by the Department of Homeland Security on its employees found (to no one’s surprise) that people are prone to pick up unidentified USB drives and pop them into their computers with abandon, providing nefarious personages the ability to infect their systems with malware. Schneier took issue with the following quote from a security expert regarding the study:
Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”
In Schneier’s view, the idiocy really rests with operating system manufacturers who allow their products to access untrusted USB devices with providing the user with any protection and that the users are simply doing the best that they can under the circumstances. This is where I disagree.
While OS manufacturers should be doing a better job of securing their products against unknown USB devices, in the current situation users need to exercise extreme caution in what they stick into their computers’ USB ports. Until we have better tools to mitigate this risk, users have to play an active role in protecting themselves and their organizations from USB borne threats. There has been a lot of news coverage (and at least at my organization, security awareness training) to let people know about the risks of USB devices of uncertain provenance. I happen to think that the people in my organization are smart (and good looking) enough to remember a few very basic security messages and behaviors needed to protect our systems and networks:
- Don’t open links or files from strangers
- Don’t open unexpected/strange links or files (that seem to be) from friends
- Don’t take USB candy from strangers
Yes, I know that application of these rules will not provide 100% protection from malware, but following them will definitely mitigate the risks involved, which is really the best we can hope for at this time.
So, Bruce, you are still my hero, but I think we need to hold our colleagues to a slightly higher standard in terms of their role in protecting our computers and networks.
Oh, and as for Mr. Rasch’s “idiot” comment, I think he was a bit rough on users in terms of his choice of language. I would have said “boneheaded” or “Homer Simpson-like” instead. This is why I am beloved at my workplace.