All it takes is one thumb drive or other external data device plugged into a computer to jeopardize the security of information on federal networks. Army officials learned that lesson the hard way in November 2008, when a removable storage device plugged into a computer's Universal Serial Bus port introduced a worm that spewed malicious code across the network. The Defense Department has remained mum on the specifics of the attack, but hackers have used similar types of malware to take control of computers remotely and steal files.
Now other agencies are trying to find ways to protect their data without sacrificing productivity. External storage devices that plug into a USB port have become ubiquitous in federal government. Employees use thumb drives and handheld computers to transfer files that are too large to e-mail or send over a network, or store documents while working remotely without network access. Military members in the field use flash drives when scarce bandwidth makes it difficult to access critical information on the network.
These devices enable employees to do their jobs, but also jeopardize network security.
"It's a threat-that's been proven," says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. "It's tough to make the system smart enough to identify what is or is not safe. But you can't say, 'No, you can't do this,' without offering some alternative for meeting business requirements." NRC inspectors, for example, often use flash drives when conducting field work.
Typically, when one talks about the security of removable computer devices, it's in the context of a data breach: An employee downloads from the network sensitive files that are then exposed to unauthorized users, lost or stolen. But that isn't the only risk. Worms and viruses can spread through removable components as easily as through the Internet, and federal cybersecurity requirements don't properly address that risk.
In the Army's case, the virus was an AutoRun worm, which installs a file on a thumb drive or other device that is plugged into an infected computer and triggers the Microsoft operating system to execute the worm when the thumb drive is plugged into another computer. Viruses are slightly different, because they require a user to click on an executable file to infect a system. The program then infiltrates the network, as was the case at Army, says Jim Russell, vice president for the public sector at security software company Symantec.
"Failure to properly configure [security software] hurts the ability to cleanse the data coming into the network," he says. "With the explosion of these types of devices, the endpoint has become far tougher to manage." A 2007 Office of Management and Budget directive provides some guidance for locking down networks by requiring agencies to use a standard set of security settings for the Microsoft Windows operating system.
But every infrastructure is different, whether it is for collecting tax information from citizens or sharing intelligence on terrorist suspects, and security policies must address all risks.
As of mid-February, the Defense Department still had a temporary ban on removable storage devices. But the USB port is essential for many employees, especially those who spend time in the field.
The best strategy for minimizing risk is a combination of tight security policy and multiple layers of protection for the computer network and the removable device.
Few agencies cover all those bases.
"Everyone has a flash drive hanging from around their necks, and there's the capacity for a lot of data to disappear or malware to find its way onto computers-even when the flash drive has been authorized," Howard says.
"Nothing is certain. Additional controls have to be put in place."
NRC requires all agency files downloaded to a flash drive to be encrypted, and forbids employees from downloading sensitive files to personal storage devices. Long-term plans include technologies that will prevent the download of such files, but for now, Howard has to rely on people to comply and accept the risk that comes with what he calls the "human element."
Technology managers must ensure that antivirus and anti-malware software is installed, current and properly configured on all computers.
"If you keep patches and antivirus up to date, that's one step to making sure the machines you're working with are a first line of defense," says Lou Magnotti, chief information officer at the U.S. House of Representatives.
As an alternative to flash drives, House members can use a "secure vault," Magnotti says, that encrypts and stores sensitive documents, such as draft bills and minutes from closed committee meetings, on a network drive that can be accessed remotely. He also is considering purchasing encrypted thumb drives.
The interagency Data-at-Rest Tiger Team, which was formed to lead data encryption policy and acquisition efforts, is weighing whether to incorporate anti-malware protection into blanket purchase agreements, says Dave Hollis, director of the tiger team and cyberspace programs for Defense's Information Assurance program. Anti-malware would enable technologists to prevent malicious programs from launching.
"Locking all doors and hardening the targets is critically important," says Christopher Painter, deputy assistant director of the FBI's cyber division. "But everyone recognizes that no matter how well you do that, there will be persistent attackers that will get into systems. . . . It's easier to play offense, because you can focus on one hole to get through. In defense, you need to protect everything."