This article, man-buys-used-ipod-gets-60-pages-of-sensitive-military-data.ars, on Ars Technica made me both laugh and groan. The subject of the article purchased a second hand mp3 player. Apparently the former owner was using the device as a removable storage disk to ferry data around. Many of us have done exactly the same thing. The difference, however, is this data contains the names and personal details of US soldiers
The US government has many rules and processes that govern secure data. There is a wealth of information on this at theFederal Information Security Management Act (FISMA) NIST site.
We can guess at which rules and what processes the original owner violated to enable this breach. That exact rule broken isn’t as important as recognizing this breach happened because it was possible in the first place.
In the effort to get jobs done short cuts often are taken. I can certainly think of a scenario where, in a time crunch, this government employee took some secure data home so they could finish up their task over a weekend. His employer may have acknowledged the sensitive nature of the data he was working on and required that this data exist only on computers attached to a secure network that has no connection to the internet. Unfortunately that tempting front mounted USB port calls to people. They bring in their camera and music player, their USB keys and webcams. Heck they may even bring in their USB rocket launchers to blow a little steam at the end of a tough day.
This article isn’t the first time that removable storage has led to data loss. The massive TJX breach comes to mind. More recently the details of more than 6,000 prisoners was lost. Through malicious and accidental acts gigabytes of data leak out USB ports around the world.
Physically removing USB ports may work for some organizations. Some have even suggested epoxy as an answer. USB ports have their uses, though, and these tactics are often too extreme. Antivirus and application whitelisting software can prevent the running of malicious code from these devices but they don’t adequately address data loss issues.
What then is the answer? Whitelisting hardware is something that is still in its infancy but for this class of problems I think it shows a lot of promise. Selectively allowing USB devices by the device’s serial number or by the logged in user allows a flexibility that none of the others solutions posses, not even epoxy.
I would love to hear your thoughts on these issues. Are there better solutions out there that we, the security industry, should be exploring?
Ex post facto introduction – Since this is my first time blogging for Bit9 a quick introduction might be in order. My name is Naveed Ihsanullah. I have worked in the field of software development and security for the past fifteen years. I have always been a firm believer in white listing as a solution for IT infrastructure control and to the ever increasing glut of malware. After hearing about the exciting Parity product, I joined Bit9 in Autumn 2008 as a Development Architect.