Monday, October 26, 2009

DoD May Lift USB Drives Ban For 'Authorized Individuals'

Via DefenseNews.com -

After being banned almost a year ago as bug-infested cyber threats, thumb drives may soon be allowed to plug back into U.S. Defense Department computers and networks.

But not all thumb drives. And not for all computer users, according to Pentagon officials and industry sources.

Thumb drives were banned in November 2008 after thousands of military computers and networks became infected by worms, viruses and other malicious software. Many of the infections were traced to thumb drives, which acquired malicious software from computers or the Internet and passed them on.

The ban has been a major hassle for many who came to rely on thumb drives.

Aircraft and vehicle technicians weren't hauling around tech manuals; the manuals were stored on thumb drives, said Tom Conway, director of federal business development at computer security company McAfee.

Medical records of wounded troops were sometimes stored on thumb drives and accompanied patients from field hospitals in Iraq to Germany and on to the United States, Conway said.

Pilots used thumb drives to transfer mission plans from operations rooms to aircraft computers. And thousands of others used thumb drives to store, share and transfer photos, briefings, videos, PowerPoint presentations, maps, documents and all kinds of other digital data.

[...]

Thumb drives still offer an attractive means to move information quickly, Carey said. So in the next 30 to 60 days, the Defense Department is expected to announce that thumb drives are back - in a limited way.

For starters, not everyone will be allowed to use them. Only "authorized individuals" are likely to be permitted to use thumb drives for "mission-essential functions," Carey said in a blog posting.

And the approved drives won't be like the thumb drives on sale at your local office supply store; they probably will be "government-owned and procured."

"The days of using personally owned flash media or using flash media collected at conferences or trade shows are long gone," Carey said.

"A whole lot of procedures are being developed" to govern the return of thumb drives, he said. "Issuance procedures, monitoring procedures, control procedures, it's all in progress."

A military "Removable Storage Media Tiger Team" is developing thumb drive policies for the U.S. Strategic Command, Carey said.

McAfee, which already provides anti-virus technology for about 7 million Defense Department desktops, laptops and servers, offers some advice: Only "trusted products" sold by "trusted suppliers" should be allowed, Conway said. And the trusted thumb drives should have multiple layers of built-in defense.

They should be able to scan data for viruses and other malware, as data is entering the drive and as it is exiting.

The drives should contain built-in encryption chips that convert everything on them to code that can be unencrypted only by a user with the correct password or the right fingerprint - or both.

The drives should also be made tamper-proof so that the information they contain self-destructs if anyone tries to defeat the encryption or disassemble the drive.

The Defense Department should also require that a unique serial number be assigned to each thumb drive. The number would enable network operators to set specific restrictions on what each drive will and won't be allowed to do, said Chris Parkerson, a removable media security manager at McAfee.

To make that work, though, the department would have to develop the capability to keep track of each thumb drive, and of who is using it and what that user is permitted to do with it.

No comments:

Post a Comment