Yes, but by then the damage could be done.
"Listen, Gary? That's your name right? Let's make it short; you work as security staff at companyX, and you can be seen introducing that USB key on the surveillance video footage, right fucking there... That USB key, which we know now, was the attack vector on companyX's computers, and servers. Where 10 billions worth of data were stolen and damaged last week... So. Gary. The good news is that I can help you. But I can only help you if you help me. The bad news is that if I can't help you, as things stand out, you'll end up charged with a long list of computer crimes and you aren't going to get anything under 30 years in a federal prison. That is, unless, you help us out find who gave you that key.... So. Gary.... Who gave you the key?"
That's the thing, Gary doesn't know, it's just some dude he met in a bar that gave him $1000 and a USB key. Gary takes the fall and the bad guy gets the data.
That's the thing about OPSEC, you have to treat every avenue as a credible threat because it is.
"Hello, I'm a stranger in a bar wearing a mask and a pair of gloves, my name is michael jordan, take those 1000 bucks and insert that highly suspicious USB key at your workplace for me. Thank you. (and btw I'm not a fed and not a jew. In case you would ask.)"
You would really have to find the dumbest grunt of them all to accept such deal.... Probably too dumb to actually work for companyX, btw...
And then he takes the money, and walks away... And that's it, no more nothing, it's gone it's all gone. And he told the cops on top of that, because they are his friends...
(post is archived)