On March 30, 2019, a woman named Yujing Zhang entered the Mar-a-Lago Club in Palm Beach, Florida – President Trump’s home away from the White House. She made it past the initial security checkpoint by allegedly saying that she was there to go to the swimming pool. Perhaps due to the language barrier, the security guards wrongfully assumed that Ms. Zhang was the relative of a Mar-a-Lago member with the same last name and allowed her onto the property [1]. According to court documents, Ms. Zhang passed at least two Secret Service agents and multiple restricted access signs as she made her way to the main reception area. From there, she could have been able to roam the club’s living room, patio, pool, and could even walk past President Trump’s private quarters [2]. After being asked several times by a receptionist why she was there, Ms. Zhang said that she was there for a United Nations Chinese American Association event later that day – but the receptionist knew there was no such event planned. At this point, Secret Service agents took Ms. Zhang to another location to interview her. After being questioned, a search of her belongings and hotel room turned up a laptop, hard drive, nine USB devices, five SIM cards, four cellphones, about $8,000 in cash, several credit and debit cards and a device used to detect hidden cameras [3]. A Secret Service agent inserted one of the USB devices into his government computer, which triggered the automatic installation of the files it contained [4].
How can you protect your space?
Physical security is the foundation for protecting confidential data. Without it, there is increased risk of unauthorized intruders, stolen devices, and misuse of confidential information. There are many ways for a business to protect itself physically including barriers such as gates, fences, and locked doors. Security guards, ID badges, key cards, and surveillance cameras also help deter intruders, malicious activity and theft. Secure rooms are necessary to protect sensitive data and valuable assets, such as servers and equipment. Clear policies outlining procedures for access of employees and guests, and policy adherence training are important aspects of any security plan. Physical controls such as these combined with strong requirements for passwords and even two-factor authentication provide for a solid foundation to protect computers and access to other devices.
What should you do if you find a USB drive?
Short answer: not what the Secret Service did in this case. There are many advantages for using USB devices, such as the convenience of on-the-go storage and portability, sharing data easily with others, and the decreasing cost of large amounts of storage in such a small device. However, inserting an unknown USB device into your computer is a dangerous thing to do. Imagine that you found a USB device on the ground outside of your building, or even on the floor in the hallway outside your office. Would your first instinct be to plug it in and see what is on it? Unless you know where the USB device came from, you should never insert it into your computer. The risk of the USB device potentially containing malicious software far outweighs the advantages of learning what is on the USB device. The Secret Service agent may have learned this lesson the hard way.
In addition, USB devices are inherently less secure storage than servers and internal hard drives. When putting files on a USB device, you need to think – what would happen if I lost this device? What if someone stole the USB device which stored important company information? If you need to use a USB device, keep it in a secure location and keep a watchful eye to avoid it being misused or stolen. Better yet, use one of the many available USB devices that offer built-in encryption in order to provide security to the information stored on it, even if it ends up in the wrong hands.
Using the Mar-a-Lago incident, we have learned the importance of physical security and USB device safety. There were multiple points on the timeline at which the opportunity to use strong security practices and employ basic understanding of how to treat an unknown USB device arose. It is a good reminder to take the opportunity to reevaluate your security practices and knowledge, and address any problems you might have in your own workplace. Notably, the Director of the Secret Service resigned this week, leaving some questioning whether the incident had any impact on the timing of this.