Leaving work recently I saw something shiny in the bushes and quickly discovered that somebody had either lost or discarded a CD in there. My first thought, of course...wonder what's on it (iTunes ain't cheap). Ten years ago, I'm sure I would have found out. Luckily, I now work in the security industry, and know better (most of the time, anyway). Unfortunatly, a lot of people who should don't. I was reminded of the results from a penetration test the Department of Homeland Security conducted this past summer where they dropped thumb drives in the parking lots of various federal agencies. How many were plugged in? A not insubstantial 60%. When a corporate logo was included, that rate went up to a staggering 90%. Remember, these are federal employees who one would assume have somewhat regular cyber security training. If HP conducts it once a year, I have to think the government does something similar.
We've been talking a lot amongst ourselves about the RSA breach earlier this year and how it could have been prevented. There are a lot of products and services that HP offers that could have stopped the explotation in its tracks. Unfortunately, we don't yet offer one that can conquer curiousity. In this day and age, when one vulnerability is all it can take to comprimise a site, and when critical infrastructure and information suddenly are web-accessible when that was not the original design, stronger training mechanisms are needed to prevent social engineering attacks of this nature. Are we really that far off from seeing public service announcements about cyber security? Probably not. I think we're about to find out what the cyber equivalent of 'duck and cover' is.