The Honey Stick Project Home Page Big Surprises Can Come in Little Packages 
If Your Staff Made The Wrong Risk Decision Over 50% Of The Time, Wouldn't You Want To Know? (Current response rate: 65% FAIL)
The Honey Stick Project is a research project under The Streetwise Security Zone, designed to measure the risk decisions of real people in a simulated threat environment. The purpose was to determine how many people still do not realize that it can be very dangerous to insert unknown devices into their computer systems, and who take risky actions when forced to make those kinds of decisions. In similar ways that email attachments can carry viruses, USB Flash Drives that have been exposed to dangerous environments can contain malicious programs that can infect systems with: - Keyloggers that capture passwords and other information, sending them back to a third party identity thief, hacker or corporate spy
- Trojan Horse Programs that spy on users and network activity
- Botnets that can perform illegal actions with your systems
- Rootkits that can silently and surreptitiously take control of your computer and hide themselves and their actions from anti-virus programs
The Honey Stick Project experiment is simple. USB Flash Drives, specially configured with safe files that simply cause a unique event to be logged when a file on each one of them is opened, are dropped in publicly accessible locations. The number of these devices whose files are opened and logged is counted, as a percentage of the total number of dropped devices. The Honey Stick Project's presumption is that the percentage of devices logged indicates, to an approximate estimation, the percentage of the population that tends to make unsafe risk decisions about their use of the Internet and their sensitive information. Note: While it is possible that using one of these devices in a way that can be detected might represent it being used in a dedicated computer that has no sensitive information and no direct connections to any other systems with sensitive information. However, even if that were the case, it is possible that certain malware infections (such as botnets) can make use of seemingly insignificant computers to launch attacks on other computers, putting your reputation at risk, and exposing you to liability for illegal use of your Internet connection.
How are the people who have found my devices doing? As of July, 2009, not very well...
Out of 54 devices dropped with specially configured - but safe - files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened.
This indicates that 65% of these devices were picked up and used in computers connected to the Internet.
For tips and discussions of risks from improper handling of mobile devices and related social engineering attacks, click HERE to visit the Honey Stick Project Blog. How would your staff do in a Honey Stick Test if you ran one in your office? The objective in running a Honey Stick Test is to create a baseline metric that you can use as a starting point for educating staff on information security risks. Policies and technical safeguards have practical limitations, which means that ongoing and up-to-date security awareness is essential in preserving your investments in technology. Everybody has seen and used USB Flash drives, but most are not aware of the type of risks they can be exposed to.
Click HERE for more information on running your own Honey Stick Test.
|