Close

Forward Observer

By Sean Gallagher

Blog archive
Sean Gallagher

Why going nuclear on thumbdrives won't win the cyber war

Last week, the Pentagon confirmed that Defense Department networks were under attack by a computer worm. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Pentagon spokesman Brian Whitman said in a statement on Nov. 21.

While Whitman would not go into the specifics of DOD measures, it was widely reported that Strategic Command (STRATCOM) had imposed an all-out ban on removable storage devices being attached to systems on the DOD's Global Information Grid in response to the worm, which spreads through devices like thumbdrives, writeable DVDs and removable hard drives.

Wired Magazine's Danger Room blog reported that an Army e-mail alert had been sent out  relaying the instructions from STRATCOM, banning the use of removable media — thumb drives, external disks, CDs and DVDs — effective immediately. The e-mail indicated a worm, called Agent.btz, was the cause of the move by STRATCOM and Joint Task Force-Global Network Operations (JTF-GNO).

According to a report by Fox News, the virus may have caused the loss of classified data on a system that was infected through a thumb drive. Thumb drives, or flash drives, have been used on a number of occasions in penetration testing of networks because of the natural inclination of users to take a drive they've been given or have found and plug it into their systems to see what's on them — making them a potential security Jack-in-the-Box.

In the past, some commands have solved security concerns about small removable drives by going as far as to fill USB ports on desktop computers with glue. But removable media is also the bridge from the GIG's fast networks to its most disadvantaged users — mobile users, especially those on the battlefield. While the indefinite ban may be a short term fix to the spread of the worm it's a fix that could seriously interfere with the ability of warfighters to move data where it's needed.

Locking everything down “doesn't work for too long,” said Alan Murray, vice president for product management at Novell. “There are times when we need to 'sneaker-net' data around.”

The only way to get a perfectly secured computer, he said, is to disconnect it from everything — and that's hardly a mission-effective solution. Murray, who manages Novell's Zenworks Endpoint Security Management products, contends that a better long-term solution would be to blend security with configuration management, and restrict removable media through software to a set of trusted devices.

By using configuration management and access controls to identify in system management policy which users can connect removable media, and what removable media devices — by manufacturer, model number and serial number — you can “measure your exposure and risk,” said Murray, and find a balance between security and flexibility that prevents a total cratering of productivity.

Posted by Sean Gallagher on Nov 25, 2008 at 8:12 AM


Reader Comments

Wed, Mar 25, 2009 Jim

I can under stand the security issue that most it people percieve. I have been on line and on government computers for about 22 years now and I have NEVER had a worm trojan or virus, (and I have 8 different systems on line at one time) but then again I am just a lowly worker. All of my superiors are always complaining about being infected with this or that, but who ends up going to classes while their work piles up and deadlines pass, thats right, the worker. In all my years I have seen may be 2 or 3 supervisors in class. When is DOD goning to wake up and get the Right people in the classes

Thu, Jan 15, 2009 Govt Worker

The ban is still on and it looks to be staying on for a long time to come. Work has been difficult, life was definitely easier with flash drives.

Wed, Dec 10, 2008 barbwire OR

So, no one has an answer yet (except follow the stig, which would work). I looked at Kanguru and IronKey - they both have enterprise solutions as Schrader said - but that only manage their brands of USB devices, so too limited. The CERT notes that in Windows it's very difficult to control autorun effectively. And for all the supposed gov stupidity, there seems to be very few effective enterprise class management solutions. If people that claim there are could point to some reviews it would be nice...

Wed, Dec 10, 2008

All of this is well and fine. My computer at home automatically scans any device I plug in, and the antivirus solution I use is free. My computer at work doesn't (and didn't) scan the same devices when I used them (and the antivirus solution is costly). Guess where I work. If you guessed DoD, you get the cigar.

Thu, Dec 4, 2008 Brian Fort Hood

User education is key! I have been struggling with this since I became an IASO in 2003 and I will continue to make it a point to educate the user because I love my job. Some IA personnel should receive hazardous duty pay. There is a reason why there are Dos and Don’ts when using a computer and someone must have learned the hard way and decided to include it in the User Agreement. I guess we are now, too.
Situation: No personal thumb drives are to be plugged into government systems and no government thumb drives into personal systems.
User Response: But how am I supposed to do my work at home?
IA Response: The government should issue you a notebook if it is that important for you to complete your work at home.
All these rules are based on the honor system and many users do not understand its meaning. We live by it when it comes to our family, our friends and our comrades in arms, but we lack it when it comes to using a government system. It is especially deplorable when the leaders of our fine government/Military commit these offenses. The rules apply to all users, not just subordinates. If everyone followed the rules we would not be at this point. I brief users every day what they are not supposed to do and they reply by informing me of their ways to circumvent the security in order to accomplish what they need. The mentality is, “Whatever it takes to accomplish the task”. Some users read and understand the User Agreement and some do not give a crap about the security measures that are in place. Again, user education is key. The biggest threat is from within. I myself will continue the fight!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Defense IT Contract Guide

Defense Systems eNewsletters

eSeminar

  • Where Cyberwarfare and Cybersecurity Meet

    We invite you to attend the third event in this three-part series on Cybersecurity. 1105 Government Information Group will present a panel of government and cybersecurity experts, including Jeffrey Carr, cyber strategies consultant and author of Inside Cyber Warfare; Dean Lindstrom, cybersecurity strategic solutions architect for Merlin International; and Dr. George Stein, director of the Cyberspace and Information Operations Study Center, Air War College, U.S. Air Force, in this editorial webcast on Tuesday, April 13 at 11 a.m., where they will discuss the cyberwarfare threat to both industry and government, as well as strategies to consolidate the wider cybersecurity mission. Read more

Highlights from the current issue