Protecting Our Ports

Data devices that plug into computers make many jobs easier, but they can expose networks to attacks.

All it takes is one thumb drive or other external data device plugged into a computer to jeopardize the security of information on federal networks. Army officials learned that lesson the hard way in November 2008, when a removable storage device plugged into a computer's Universal Serial Bus port introduced a worm that spewed malicious code across the network. The Defense Department has remained mum on the specifics of the attack, but hackers have used similar types of malware to take control of computers remotely and steal files.

Now other agencies are trying to find ways to protect their data without sacrificing productivity. External storage devices that plug into a USB port have become ubiquitous in federal government. Employees use thumb drives and handheld computers to transfer files that are too large to e-mail or send over a network, or store documents while working remotely without network access. Military members in the field use flash drives when scarce bandwidth makes it difficult to access critical information on the network.

These devices enable employees to do their jobs, but also jeopardize network security.

"It's a threat-that's been proven," says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. "It's tough to make the system smart enough to identify what is or is not safe. But you can't say, 'No, you can't do this,' without offering some alternative for meeting business requirements." NRC inspectors, for example, often use flash drives when conducting field work.

Typically, when one talks about the security of removable computer devices, it's in the context of a data breach: An employee downloads from the network sensitive files that are then exposed to unauthorized users, lost or stolen. But that isn't the only risk. Worms and viruses can spread through removable components as easily as through the Internet, and federal cybersecurity requirements don't properly address that risk.

In the Army's case, the virus was an AutoRun worm, which installs a file on a thumb drive or other device that is plugged into an infected computer and triggers the Microsoft operating system to execute the worm when the thumb drive is plugged into another computer. Viruses are slightly different, because they require a user to click on an executable file to infect a system. The program then infiltrates the network, as was the case at Army, says Jim Russell, vice president for the public sector at security software company Symantec.

"Failure to properly configure [security software] hurts the ability to cleanse the data coming into the network," he says. "With the explosion of these types of devices, the endpoint has become far tougher to manage." A 2007 Office of Management and Budget directive provides some guidance for locking down networks by requiring agencies to use a standard set of security settings for the Microsoft Windows operating system.

But every infrastructure is different, whether it is for collecting tax information from citizens or sharing intelligence on terrorist suspects, and security policies must address all risks.

As of mid-February, the Defense Department still had a temporary ban on removable storage devices. But the USB port is essential for many employees, especially those who spend time in the field.

The best strategy for minimizing risk is a combination of tight security policy and multiple layers of protection for the computer network and the removable device.

Few agencies cover all those bases.

"Everyone has a flash drive hanging from around their necks, and there's the capacity for a lot of data to disappear or malware to find its way onto computers-even when the flash drive has been authorized," Howard says.

"Nothing is certain. Additional controls have to be put in place."

NRC requires all agency files downloaded to a flash drive to be encrypted, and forbids employees from downloading sensitive files to personal storage devices. Long-term plans include technologies that will prevent the download of such files, but for now, Howard has to rely on people to comply and accept the risk that comes with what he calls the "human element."

Technology managers must ensure that antivirus and anti-malware software is installed, current and properly configured on all computers.

"If you keep patches and antivirus up to date, that's one step to making sure the machines you're working with are a first line of defense," says Lou Magnotti, chief information officer at the U.S. House of Representatives.

As an alternative to flash drives, House members can use a "secure vault," Magnotti says, that encrypts and stores sensitive documents, such as draft bills and minutes from closed committee meetings, on a network drive that can be accessed remotely. He also is considering purchasing encrypted thumb drives.

The interagency Data-at-Rest Tiger Team, which was formed to lead data encryption policy and acquisition efforts, is weighing whether to incorporate anti-malware protection into blanket purchase agreements, says Dave Hollis, director of the tiger team and cyberspace programs for Defense's Information Assurance program. Anti-malware would enable technologists to prevent malicious programs from launching.

"Locking all doors and hardening the targets is critically important," says Christopher Painter, deputy assistant director of the FBI's cyber division. "But everyone recognizes that no matter how well you do that, there will be persistent attackers that will get into systems. . . . It's easier to play offense, because you can focus on one hole to get through. In defense, you need to protect everything."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

    Download
  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

    Download
  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

    Download
  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

    Download
  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

    Download
  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

    Download
  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

    Download
  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

    Download
  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

    Download
  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.

    Download

When you download a report, your information may be shared with the underwriters of that document.