Experiment – Why you should better not have plugged in this USB stick

In this day and age with ransomware and ATPs, would you describe your company as secure and not vulnerable?

As most regular readers of this blog know, 80% of our daily business is focused on security. With Avanet, we have relied on Sophos security solutions from the very beginning and have never regretted this decision so far. We enjoy helping customers who are interested in the security of their business and who are also convinced by Sophos products.

For a marketing campaign in November 2016, we once chose the complete opposite of our customers as a target. We tried to convince CEOs of security who had never thought about it before or were convinced that the existing solution would provide enough security. We also said goodbye to our previous marketing method, online marketing, for once. What came out of it? Unfortunately, nothing pleasant, which is why we decided to share our experience with you. Our marketing campaign has shown us in a frightening manner that there is simply a need for much more education in the area of “security in the enterprise” and that one could easily penetrate a company’s network even with the simplest of means. You can read the whole story here.

Previous story

When we talk to potential customers and discreetly inquire about IT security, we always hear the same answer:

“We are adequately protected and, after all, something like this can’t happen to us either way. Our company is far too small and far too insignificant for a hacker.”

The fact is that it’s no longer about the little hacker in the basement who only chooses big companies as his target. The story with the encryption Trojans in particular clearly shows that anyone with a computer, Internet and e-mail is a target. Then, when we point out the dangers of email attachments, CEOs are quite sure that their employees are careful and certainly wouldn’t do anything rash. What else can you say about this except, “May we test this once?” It is obvious that no one wants to give their consent to this and so we asked ourselves the following question with regard to our new marketing campaign:

“How do you convince a potential customer about IT security who has never thought about it or thinks they are adequately protected?”

Our marketing idea and how we implemented it

When planning our campaign, one thing was very important to us. We wanted to be “the good guys” and our action was to help raise more awareness of today’s dangers. To be as effective as possible, it also needed a dose of fear sweat to exorcise the thought that “yes, I’m safe and nothing can happen to me.”

So we had 100 USB sticks delivered, onto each of which we copied an HTML file with the following content on it.

At this point, I would like to emphasize once again that there was really only a harmless HTML file on the stick. As I said, it was never our intention to harm any company. We then put the USB stick in an envelope, with only a Post-it note saying:

“As discussed, the project data. Greetings + Thank you”

The letter was inscribed only with the address of the recipient. We have deliberately omitted the sender in order to increase curiosity in people and to increase the probability that the USB stick will be inserted.

Now I have three questions for you:

1. What would you have done if such a letter had landed in your mailbox?
2. How would your employees have behaved?
3. How many times do you think the USB stick was inserted?

Angry people, threats and police

We were well aware that this action was quite brazen. Would people understand our “good intentions” and be grateful that they got off lightly this time?

The answer was clearly “NO”. That turned out to be the case three days later when we called them and asked about the USB stick. I would say that out of 80 people reached, about 5 understood the action and even gave praise for an original marketing action.

The rest of the people were angry, saw us as the enemy and threatened legal action. Two of our USB sticks even ended up with the police.

65% insertion rate

Let’s put emotions aside and focus on the impact of our campaign. The scary thing was that 65% of all people who could be reached by phone had plugged in the USB stick in the company! Assuming that not everyone admitted to having inserted the stick after all, the average number would be even higher.

So this means that at least 52 people compromised security in their company by inserting a flash drive without knowing who it was from and what files were on it.

Conclusion

Although we can of course understand the angry reactions of these people, we think that one’s own ego has no place at this point. People should realize that in this situation, they were vulnerable to attack via a stupid, simple USB stick and caught using a 1990 method. In the case of such an attack, even the best firewall in the world would not have been able to do anything, because the stick was virtually smuggled past the security check. In the end, the human being was probably the greatest danger, because without him the USB stick would never have entered the network. Training your staff sufficiently and pointing out such dangers is an important part of your IT security.

Our marketing campaign has shown that endpoint protection must be installed on every client in a company. Only good endpoint protection that acts according to behavior and does not rely on signatures is the measure of all things in today’s world. Anyone looking for such a product from Sophos will sooner or later end up with Sophos Central. We always recommend the dream team Sophos Central Endpoint + Intercept X as the basic configuration. If you want to follow our recommendation, you can buy right now Sophos Central Intercept X Advanced where both products are included.

Even if we did not win any new orders as a result of this campaign, it was still not completely in vain from our point of view. We are convinced that this action will make a few people act more cautiously next time and hesitate before inserting a USB stick into their computer.