When Evaluating Your Network Vulnerabilities, Don’t Forget the Sneaker Net

While we were working on a security assessment for one of our clients recently, I had an interesting conversation that revealed an information security blind spot.  It highlighted an oversight that might be more common than we’d like to think.  

This client has a solid corporate security policy, is trying to follow industry standards to secure their payment processing, has contracts with reputable firms to handle their network infrastructure, and is forward-thinking enough to bring in a pair of eyes from outside to review their set-up.  The staff at this location were professional, intelligent, conscientious, and well-led.  This business is certainly above average—ahead of the curve in thinking about information security.  

I wanted to check a network port in a locked room.  I asked an employee for access, and he handed me a small key ring that was hanging in a drawer lock at the reception desk.  Returning from my errand, I noticed there was a USB “thumb drive” on the front desk key ring.  I asked the helpful employee what kind of data was on that drive.  He told me they used it to swap files around between the front desk computers, the work room computers, and the managers’ offices.  I asked him for an example of a document I’d find on that drive.  He told me that he had just helped a customer who couldn’t receive a receipt via email. He had downloaded her electronic receipt to that common-use drive and handed it to her to load to her laptop.  

This client has their payment processing hardware and server and their front desk PCs running on a secured network that is physically separated from the rest of the facility.  …but (while striving for responsive customer service) they stored a credit card receipt with a customer’s information on an unsecured USB stick…which they hand to customers who need a transfer device. It doesn’t take much of a leap of imagination to conclude that this innocent looking keyring dongle, in the hands of a malicious actor, would probably compromise much more than that one transaction.  

Your office sneaker net is part of your network.  You shouldn’t treat its security any less seriously that you do all those connections in the server room.

Keyring USB drives are ubiquitous, inexpensive, forgettable, and unsecured.  They easily become informally shared transfer devices.  I bet you have a couple kicking around in your office: sitting in a drawer, hanging on a hook, laying behind a monitor on the front desk, left on a counter in the training room…  Do you know what’s on those devices?  When is the last time you scrubbed the data from them?  Do you know what deleted files or invisible data might be recoverable from them?  How worried would you be if you were missing one?  Would you even notice?