Via GCN -
NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.
New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.
The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.
Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”
The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.
But it is indicative of new concerns about controlling the use of portable media.
“I'm surprised it has taken this long for some organizations to act on this attack vector,” said Ed Skoudis, co-founder and a senior security analyst at Washington-based information security group InGuardians, in a newsletter from the SANS Institute. “Windows ships with Autorun for CDs enabled, [and] USBs with U3 technology look just like a CD to a Windows box, making compromise trivial. Enterprises should address this threat with clear policy and instructions for employees, shored up with technical implementations that turn off Autorun via Group Policy.”
He added that Microsoft describes how to turn off the policy here.
No comments:
Post a Comment