IT Pros Admit to Plugging In Found USB Drives

The survey revealed that data which was discovered on the found USB drives often included viruses, rootkits and bot executables. 

The temptation to find out what exactly is on an unknown USB drive is apparently too great for a vast majority of IT workers, with 78 percent of IT security professionals admitting to picking up and plugging in USB flash drives found abandoned or lying around, according to a survey conducted by South Korean security vendor AhnLab.

The study also uncovered that more than 68 percent of those surveyed had been involved in a security breach, either at home, work or personally–with many relating back to the infected USB drives. The study warned inserting a found flash drive into a network could lead to infecting files and networks, and ultimately, the loss of valuable data.

“I am utterly shocked at these figures, in particular, the 78 percent number,” Brian Laing, vice president of marketing and business development at AhnLab’s Santa Clara office, said in a statement. “For example, Stuxnet, one of the world’s most sophisticated cyber-attacks, gained access to its target system through a ‘found’ USB drive. The creators of the malware left infected USB drives near a uranium enrichment facility and someone picked it up and inserted into their PC. Stuxnet derailed the efforts of that nation to purify nuclear materials at its facility.”

Conducted at last month’s RSA Conference 2013 among 300 IT professionals, many of whom were security experts, the survey revealed that data which was discovered on the found USB drives often included viruses, rootkits, bot executables, movies, music and other office documents.

The report warns an infected USB drive could result in infected machines, infected networks, and a PC or PCs in the network converted to a bot for use by cyber-criminals, resulting in stolen intellectual property, such as sales forecasts and customer and financial information.

“I urge IT security professionals to begin practicing what they preach,” Laing said. “This ‘it won’t happen to me’ attitude doesn’t wash. It really does come down to the old mantra of combining people, process and technology–if you can get all three elements right, you are on track to a safe and secure environment.”

In additional to these findings, a recent study from Virginia-based PhishMe found that more than 60 percent of people will fall for a phishing attack if they have never been trained to know what to look out for. One in five people admitted to being tricked by a phishing email into clicking a link or opening an attachment.