The Honey Stick Project
Understanding the Human Threats and Vulnerabilities Facing Mobile-Accessible Information
The question that sparks discussion about security awareness:
If your mobile device is lost, what's likely to happen to it?
Rate of access to unknown devices
by finders of lost USB drives: 65% FAIL
Click HERE for summary breakdown of Phase 1 results.
Click HERE for the full Symantec Smartphone Honey Stick Report.
February, 2012 study examined human threats to lost smartphones.
Of 50 phones "lost" in 5 North American cities:
83% had attempts to access business apps
89% had attempts to access personal apps
96% had attempts to access at least some type of data
50% of finders contacted the owner and offered to help return the phone
The most popular apps accessed were:
- Private Pictures
- Social Networking
On March 8, 2012, results of Phase 2 of the Honey Stick Project were released in a big way. The March 8 edition of the NBC "Today" Show aired a segment featuring some detailed, eye-opening results from the next major phase of the Honey Stick Project. Click HERE for the article/video.
The Honey Stick Project (HSP) is a research project created by Security Perspectives Inc. It's designed to measure the decisions of real people and simulate threats and risks to information in a mobile environment. The original purpose of the HSP was to determine the percentage of people who do not realize that it can be very dangerous to insert unknown devices into their computer systems, and who take potentially risky actions when forced to make those kinds of decisions.
In similar ways that email attachments can carry viruses, mobile storage devices, such as USB Flash Drives, that have been exposed to dangerous environments can contain malware and can infect computer systems with:
- Keyloggers that capture passwords and other information, sending them back to a third party identity thief, hacker or corporate spy
- Trojan Horse Programs that spy on users and network activity
- Botnets that can perform illegal actions with your systems
- Rootkits that can silently and surreptitiously take control of your computer and hide themselves and their actions from anti-virus programs
Phase 2 focused more on measuring the human threats to sensitive mobile-accessible data, for example on a lost smartphone.
The Honey Stick Project experiment is based on a technique for logging activities that occur on lost devices. Data collected is anonymous, and no attempt is made to collect personal information from the devices.
How are the people who have found mobile devices doing?
As of February, 2012, not very well...
In Phase 1 (Lost USB Drives) - Out of 54 devices dropped with specially configured - but safe - files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened.
This indicates that 65% of these devices were picked up and used in computers connected to the Internet.
For tips and discussions of risks from improper handling of mobile devices and related social engineering attacks, click HERE to visit the Honey Stick Project Blog.
In Phase 2 (Lost Smartphones) - Out of 50 devices lost, over 80% of devices showed evidence of the finders attempting to access either business or personal apps. This indicates that, while few people expect to lose their smartphones, the consequences of NOT having security safeguards to protect sensitive personal and business data can be severe.
So, it's important to have good corporate policies on mobile device security, enforce good passwords and use specialized technology to protect mobile-accessible data, and educate staff on how to handle sensitive information, wherever it may be.
Click HERE for the complete Symantec Smartphone Honey Stick Report.
How would your staff do in a Honey Stick Test if you ran one in your office?
The objective in running a Honey Stick Test is to create a baseline metric that you can use as a starting point for educating staff on information security risks. Policies and technical safeguards have practical limitations, which means that ongoing and up-to-date security awareness is essential in preserving your investments in technology. Everybody has seen and used USB Flash drives and many now have Smartphones that can carry and access tremendous amounts of data, but most are not aware of the type of risks they can be exposed to.
Click HERE for more information on running your own Honey Stick Test.