Been suspecting that your users are plugging in any USB stick they find, to see what is on it? Well, you are right, they actually do that. Fresh scientific research by Google, and the Universities of Illinois and Michigan showed a 45% - 98% failure rate with 297 USB drives that were left at different times and locations at a University campus, the fastest time that someone plugged one in was 6 minutes after it was dropped.
Different types of USB drives were tested, some with labels on it, and some with keys attached. The research showed that this did not make a big difference. The actual problem of people plugging in USB drives is that they want to find out who lost it, and are trying to help. This altruistic intention to help is what social engineering exploits, although the researchers noted "that nearly half of users are overtaken by curiosity, first opening vacation photos instead of the prominently placed résumé (which would have reasonably included contact information)."
68% of users took absolutely no precautions before inserting the USB drive. Of those that did take additional steps before opening any files, here is a breakdown of what they did first:
- 16% scanned the drive with their anti-virus software.
- 8% believed that their operating system security features would protect them
- 8% sacrificed a personal computer or used university resources to protect their personal equipment.
In their conclusion the researchers confirm what has been known for years in the pentesting community; this evidence is a reminder that less technical attacks remain a real-world threat if for some reason you are not able to disable autorun, autoplay and/or auto-mount of anything connecting to a USB slot, which for instance is hard to do on laptops.
A majority of the survey respondents claimed their motives were altruistic and they were trying to return the drive to its rightful owner. Cybercriminals know this and regardless of intent, this is how actual malicious attacks can happen. Infected drives pose a huge security risk and can spread the infection across an entire network quickly.
This study comes about 6 months after a similar experiment by CompTIA where they dropped 200 USB drives in high-traffic public areas in Chicago, Cleveland, San Francisco, and Washington, D.C. Nearly 20% of the drives found were plugged in with users then proceeding to expose themselves to security risks: opening files, clicking on unknown links and sending messages to unknown email addresses. A corresponding survey revealed that 45% of full time workers said they didn't receive any kind of cybersecurity training at work, while 15% that do still simply rely on paper training manuals.
This problem is what security awareness training can effectively manage, if employees are trained with both web-based training sessions explaining the dangers of plugging in USB drives, and with actual simulations. End users will continue to be targets in cyberattacks and as we've seen, even less sophisticated attacks continue to be successful. Properly and consistently training users is the best defense in making your organization too difficult for hackers to penetrate and make them move to lower hanging fruit.