honey stick security awareness metrics measurement
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community
Site Search:
GO!

Presentations by Scott Wright

April 2, 2014 at 1pm ET (10am PT) - A Powerful New Approach to Enterprise Cloud Data Compliance and Risk Management.


JOIN NOW and get our Streetwise Security Tips series, plus our Newsletter and automatic email news updates, as well as product discounts.

Help for...   »

»   Non-Technical Staff
»   Executives and Managers
»   IT and R&D Staff

Featured Blogs / Podcasts / Articles

MORE INFO...  about The Streetwise Security Zone

You can contact Scott Wright
by Phone:
1-613-693-0997
or Email:
scott@streetwise-security-zone.com

 

 

Site Meter

The Honey Stick Project

Home Page

Understanding the Human Threats and Vulnerabilities Facing Mobile-Accessible Information

 

The question that sparks discussion about security awareness:

If your mobile device is lost, what's likely to happen to it?

 

 

Phase 1

Rate of access to unknown devices
by finders of lost USB drives: 65% FAIL

Click HERE for summary breakdown of Phase 1 results.

 

Phase 2 - Smartphones in North America

(sponsored by Symantec)

Click HERE for the full Symantec Smartphone Honey Stick Report.

February, 2012 study examined human threats to lost smartphones in the USA and Canada.

Of 50 phones "lost" in 5 North American cities:

83% had attempts to access business apps

89% had attempts to access personal apps

96% had attempts to access at least some type of data

50% of finders contacted the owner and offered to help return the phone

The most popular apps accessed were:

          1. Contacts
          2. Private Pictures
          3. Social Networking
          4. Webmail
          5. Passwords

On March 8, 2012, results of Phase 2 of the Honey Stick Project were released in a big way. The March 8 edition of the NBC "Today" Show aired a segment featuring some detailed, eye-opening results from the next major phase of the Honey Stick Project. Click HERE for the article/video.

 

Phase 3 - Smartphones in Brazil

(sponsored by Symantec)

Click HERE for the full Symantec Brazil Smartphone Honey Stick Report
(in Portuguese).

September, 2013 study examined human threats to lost smartphones in Brazil.

Of 30 phones "lost" in 3 Brazilian cities:

53% had attempts to access business apps

83% had attempts to access personal apps

90% had attempts to access at least some type of data

27% of finders contacted the owner and offered to help return the phone

The most popular apps accessed were:

          1. Private Pictures
          2. Social Networking
          3. Passwords
          4. Online Banking
          5. Cloud Documents

 

Phase 4 - Smartphones in Mexico

Click HERE for the full Symantec Mexico Smartphone Honey Stick Report
(in Spanish).

January, 2014 study examined human threats
to lost smartphones.

Of 30 phones "lost" in 3 Mexican cities:

87% had attempts to access business apps

90% had attempts to access personal apps

97% had attempts to access at least some type of data

17% of finders contacted the owner and offered to help return the phone

The most popular apps accessed were:

          1. Private Photos
          2. Social Networking
          3. Contacts
          4. Remote Admin
          5. Passwords

 

Phase 5 - Smartphones in Canada

Click HERE for the full Symantec Canada Smartphone Honey Stick Report.

January, 2014 study examined human threats
to lost smartphones.

Of 50 phones "lost" in 5 Canadian cities:

63% had attempts to access business apps

83% had attempts to access personal apps

93% had attempts to access at least some type of data

55% of finders contacted the owner and offered to help return the phone

The most popular apps accessed were:

          1. Contacts
          2. Social Networking
          3. Private Pictures
          4. Webmail
          5. Passwords

 

 

The Honey Stick Project (HSP) is a research project created by Security Perspectives Inc. It's designed to measure the decisions of real people and simulate threats and risks to information in a mobile environment. The original purpose of the HSP was to determine the percentage of people who do not realize that it can be very dangerous to insert unknown devices into their computer systems, and who take potentially risky actions when forced to make those kinds of decisions.

In similar ways that email attachments can carry viruses, mobile storage devices, such as USB Flash Drives, that have been exposed to dangerous environments can contain malware and can infect computer systems with:

  • Keyloggers that capture passwords and other information, sending them back to a third party identity thief, hacker or corporate spy
  • Trojan Horse Programs that spy on users and network activity
  • Botnets that can perform illegal actions with your systems
  • Rootkits that can silently and surreptitiously take control of your computer and hide themselves and their actions from anti-virus programs

 

Phases 2 through 5 have focused more on measuring the human threats to sensitive mobile-accessible data, for example on a lost smartphone.

The Honey Stick Project experiment is based on a technique for logging activities that occur on lost devices. Data collected is anonymous, and no attempt is made to collect personal information from the devices.

How are the people who have found mobile devices doing?

As of today, not very well...

In Phase 1 (Lost USB Drives) - Out of 54 devices dropped with specially configured - but safe - files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened.

This indicates that 65% of these devices were picked up and used in computers connected to the Internet.

For tips and discussions of risks from improper handling of mobile devices and related social engineering attacks, click HERE to visit the Honey Stick Project Blog.

 

In Phases 2 through 5 (Lost Smartphones) - The studies showed evidence of the finders attempting to access either business or personal apps over 80% of the time. This indicates that, while few people expect to lose their smartphones, the consequences of NOT having security safeguards to protect sensitive personal and business data can be severe.

So, it's important to have good corporate policies on mobile device security, enforce good passwords and use specialized technology to protect mobile-accessible data, and educate staff on how to handle sensitive information, wherever it may be.

Click HERE for the complete Symantec Smartphone Honey Stick Report.

 

How would your staff do in a Honey Stick Test if you ran one in your office?

The objective in running a Honey Stick Test is to create a baseline metric that you can use as a starting point for educating staff on information security risks. Policies and technical safeguards have practical limitations, which means that ongoing and up-to-date security awareness is essential in preserving your investments in technology. Everybody has seen and used USB Flash drives and many now have Smartphones that can carry and access tremendous amounts of data, but most are not aware of the type of risks they can be exposed to.

Click HERE for more information on running your own Honey Stick Test.

Related Links:

> View the Honey Stick Project Blog articles

> Security Awareness Metrics and Testing links and resources

 


In The News

NBC "The TODAY Show"

BusinessWeek

PCWorld.com

Mashable.com

CTV Canada AM (National)

CBC News

CTV Ottawa News


Other coverage: For more security awareness content and tools from Scott Wright and Security Perspectives, check out the Streetwise Security Zone HERE!




Scott Wright is an information security coach, trainer and consultant whose services include risk management and security awareness. If you have questions or comments, you can contact Scott Wright at scott@streetwise-security-zone.com.

You can follow Scott Wright on Twitter at http://www.twitter.com/streetsec

The Honey Stick Project is sponsored by Security Perspectives Inc. and by Symantec (Phase 2 - Lost Smartphones) hosted by The Streetwise Security Zone at http://www.streetwise-security-zone.com

Share

Copyright 2012. Security Perspectives Inc. All Rights Reserved.