Protecting Our Ports

Data devices that plug into computers make many jobs easier, but they can expose networks to attacks.

All it takes is one thumb drive or other external data device plugged into a computer to jeopardize the security of information on federal networks. Army officials learned that lesson the hard way in November 2008, when a removable storage device plugged into a computer's Universal Serial Bus port introduced a worm that spewed malicious code across the network. The Defense Department has remained mum on the specifics of the attack, but hackers have used similar types of malware to take control of computers remotely and steal files.

Now other agencies are trying to find ways to protect their data without sacrificing productivity. External storage devices that plug into a USB port have become ubiquitous in federal government. Employees use thumb drives and handheld computers to transfer files that are too large to e-mail or send over a network, or store documents while working remotely without network access. Military members in the field use flash drives when scarce bandwidth makes it difficult to access critical information on the network.

These devices enable employees to do their jobs, but also jeopardize network security.

"It's a threat-that's been proven," says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. "It's tough to make the system smart enough to identify what is or is not safe. But you can't say, 'No, you can't do this,' without offering some alternative for meeting business requirements." NRC inspectors, for example, often use flash drives when conducting field work.

Typically, when one talks about the security of removable computer devices, it's in the context of a data breach: An employee downloads from the network sensitive files that are then exposed to unauthorized users, lost or stolen. But that isn't the only risk. Worms and viruses can spread through removable components as easily as through the Internet, and federal cybersecurity requirements don't properly address that risk.

In the Army's case, the virus was an AutoRun worm, which installs a file on a thumb drive or other device that is plugged into an infected computer and triggers the Microsoft operating system to execute the worm when the thumb drive is plugged into another computer. Viruses are slightly different, because they require a user to click on an executable file to infect a system. The program then infiltrates the network, as was the case at Army, says Jim Russell, vice president for the public sector at security software company Symantec.

"Failure to properly configure [security software] hurts the ability to cleanse the data coming into the network," he says. "With the explosion of these types of devices, the endpoint has become far tougher to manage." A 2007 Office of Management and Budget directive provides some guidance for locking down networks by requiring agencies to use a standard set of security settings for the Microsoft Windows operating system.

But every infrastructure is different, whether it is for collecting tax information from citizens or sharing intelligence on terrorist suspects, and security policies must address all risks.

As of mid-February, the Defense Department still had a temporary ban on removable storage devices. But the USB port is essential for many employees, especially those who spend time in the field.

The best strategy for minimizing risk is a combination of tight security policy and multiple layers of protection for the computer network and the removable device.

Few agencies cover all those bases.

"Everyone has a flash drive hanging from around their necks, and there's the capacity for a lot of data to disappear or malware to find its way onto computers-even when the flash drive has been authorized," Howard says.

"Nothing is certain. Additional controls have to be put in place."

NRC requires all agency files downloaded to a flash drive to be encrypted, and forbids employees from downloading sensitive files to personal storage devices. Long-term plans include technologies that will prevent the download of such files, but for now, Howard has to rely on people to comply and accept the risk that comes with what he calls the "human element."

Technology managers must ensure that antivirus and anti-malware software is installed, current and properly configured on all computers.

"If you keep patches and antivirus up to date, that's one step to making sure the machines you're working with are a first line of defense," says Lou Magnotti, chief information officer at the U.S. House of Representatives.

As an alternative to flash drives, House members can use a "secure vault," Magnotti says, that encrypts and stores sensitive documents, such as draft bills and minutes from closed committee meetings, on a network drive that can be accessed remotely. He also is considering purchasing encrypted thumb drives.

The interagency Data-at-Rest Tiger Team, which was formed to lead data encryption policy and acquisition efforts, is weighing whether to incorporate anti-malware protection into blanket purchase agreements, says Dave Hollis, director of the tiger team and cyberspace programs for Defense's Information Assurance program. Anti-malware would enable technologists to prevent malicious programs from launching.

"Locking all doors and hardening the targets is critically important," says Christopher Painter, deputy assistant director of the FBI's cyber division. "But everyone recognizes that no matter how well you do that, there will be persistent attackers that will get into systems. . . . It's easier to play offense, because you can focus on one hole to get through. In defense, you need to protect everything."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download
  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download

When you download a report, your information may be shared with the underwriters of that document.