NCTS FE Begins Crack Down On Illegal USB Flash Device Use
By Matthew Stephan, NCTS FE, Information Assurance



USB devices were banned for use on DoD computer networks due to the threat they pose. Despite existing policies and aggressive awareness training, NCTS FE still detects numerous incidents of violation of USB device use. Photo by Mark Elrod


According to the National Cyber Alert System, USB (Universal Serial Bus) flash drives are popular for storing and transporting data, but some of the characteristics that make them convenient also introduce security risks.

USB devices were banned for use on Department of Defense (DoD) computer networks due to the threat they pose.

Despite ONE-NET advisories, security stand downs, refresher training on information assurance, information security and other forms of user awareness training, Naval Computer and Telecommunications Station Far East (NCTS FE) still detects numerous incidents of this basic violation.

“There is still blatant misuse and disregard of the policy that exists,” said NCST FE Commanding Officer Capt. Robert Goodwin.

Misuse of the USB port causes 25 percent of all incidents where malware is introduced to ONE-NET. To prevent degradation of the network, NCTS FE regularly scans ONE-NET computer systems to detect vulnerabilities and threats to the information that they protect on a daily basis.

These scans routinely detect numerous violations in the use of USB devices.

“We are in the process, now, that if somebody comes in, [inserts a flash drive], and we can catch [the device] on the computer, at that time, our assumption is that computer is infected,” said Goodwin. “Then our actions are to remove that danger, or that threat from the network, which means, that computer is gong to be taken offline until such time that we can figure out whether or not an infection actually occurred and eradicate that infection so that the computer is safe to put back in the network And that is an impact to the mission, because, now, that computer is down, for whoever has to use that computer.”

The following devices including battery charging are banned from connecting to ONE-NET and other Department of the Navy (DoN) networks:

• Thumb drives, USB flash drives, memory sticks, and other flash storage devices.

• iPods and Sony PSPs.

• Kindle and Sony eBook Readers.

• Personal phones or Government issued cell phones.

• Cameras and camcorders.

• Flash media card readers.

The use and connection of any of these devices on ONE-NET and other DoN networks are direct violations of DoD, DoN and NAVNETWARCOM (NNWC) policies.

Commander, Naval Network and Warfare Command (COMNAVNETWARCOM) released ONE-NET Information Bulletin 08B to allow the use of external hard drives provided that specific implementation procedures and operational requirements are met, such as U.S. General Services Administration (GSA) approved hard drives, registered at the Local Network Service Center (LNSC), free of third-party software.

Users are not to purchase a removable hard drive without first contacting your information assurance officer or manager for details.

Commands utilizing external hard disk drives (HDD) should immediately contact the ONE-NET Enterprise Service Desk to ensure devices meet ONE-NET standards. External HDD not registered with the LNSC will be seen as rogue devices in violation of the policy.

Additionally, COMNAVNETWARCOM issued ONE-NET Information Advisory 02-09 that states, “The following penalties apply for ONE-NET users who are found in violation of the policy:

• For a first offense, the user’s account will be immediately disabled and remain disabled until the user’s commanding officer or officer in charge has provided authorization for the TNOSC to enable the account.

• For a second offense, the user’s account will be immediately disabled and reported to NAVNETWARCOM.”

In cases of malware infection, classified or personally identifiable information incidents, involvement of the command security manager, Navy Criminal Investigative Services or Navy Cyber Defense Operations Command is required.

This in turn may cause the ONE-NET computer to be quarantined, confiscated, or reimaged to contain the incident for further analysis.

Misuse of government computer assets is also a reportable incident to DoN Central Adjudication Facility through the Joint Personnel Adjudication System system and is used as a factor in retaining and adjudicating personnel security clearances.

ONE-NET is connected to the Global Information Grid and interlinked with all other DoD computer systems in the information superhighway.

Users do not have the authority to accept, ignore, or transfer risk on behalf of the DoD by plugging in an unauthorized device into the USB port. A violation of policy by a user in Yokosuka can have a cascading effect which eventually impacts multiple DoD networks.

All users are reminded that your ONE-NET user account is not a right. Your ONE-NET user account and your ONE-NET computer are government provided tools.

Follow the standards and use the tools in accordance with these standards in furtherance of your command’s mission or risk losing access to the tools.

You would think that the people in this kind of business would know that these things can always be traced back to the user!

You would think

ohhhh... soapbox trigger...

Thing is, the bad guys wish they could cause as much economic damage and denial-of-service impact to us as we do to ourselves.

No seriously - DoD security directives are so out of control and have such a real world impact that a few years ago the Air Force Academy spent the money, time and effort to build a completely parallel network, air gaped to their DoD one. Military requirements on the DoD network, real world work on their independent one.

Your tax dollars at work folks.

I'd only seen the slides of the briefing the CIO gave Educause, but it has a lovely couple of points in the closer:

1 - How do you know you've gone too far with your security? When your users look to bypass it.
2 - If you don't know why you are implementing a security policy, maybe you shouldn't!

Coincidentally enough, I was reading an article today about the horrible waste of resources that our intelligence communities are, and the author of the piece had this point to say. I thought immediately about how it applies to the DoD computer security mindset. (substitute the concept of network security with espionage policy and see if it doesn't ring as true)


"To make matters worse, the system they depict gives the participants (and especially those private contractors) an obvious incentive to hype threats, both to cover their bureaucratic tails and to justify their own existence and profits. Nobody wants to be caught downplaying a possible danger (which would be embarrassing later on), and suggesting that a potential threat might not be that serious is a good way to get your budget cut. As one of the sources quoted by Priest and Arkin put it, the post-9/11 intelligence maze has become a "self-licking ice cream cone," and the overall effect will be to make the world's most powerful and secure country even more paranoid than before. And when everyone in the system has an incentive to maximize dangers, the whole apparatus gets drowned in more data than it can absorb and assess."

http://walt.foreignpolicy.com/posts..._candidate

Navy Continues Crack Down On Illegal USB flash Device Usage

By Mark Elrod, CFAY Public Affairs Universal Serial Bus or USB devices were banned for use on Department of Defense (DoD) computer networks due to the threat they pose. Despite ONE-NET advisories, security stand downs, refresher training on information assurance, information security and other forms of user awareness training, Naval Computer and Telecommunications Station Far East (NCTS FE) still detects numerous incidents of this basic violation.

According to the National Cyber Alert System, USB flash drives are popular for storing and transporting data, but some of the characteristics that make them convenient also introduce security risks.

Commander U.S. Naval Forces Japan (CNFJ) instruction COMNAVFORJAPANINST 5239.3, USB flash device policy states that the purposes of the policy is to ensure network defense of the One-Net computer system and the Global Information Grid, provide clear guidance on quarantining computer systems affected by USB flash devices, and define personnel accountability requirements.

According to the instruction, 25 percent of all incidents in which malware have been introduced to the One-Net systems are directly attributed to USB flash memory devices.

“There is still blatant misuse and disregard of the policy that exists,” said Naval Computer and Telecommunications Station Far East (NCTS FE) Commanding Officer Capt. Robert Goodwin.

The CNFJ instruction reiterates the fact that NCTS FE regularly scans ONE-NET computer systems to detect vulnerabilities and threats to the information that they protect on a daily basis. These scans routinely detect numerous violations in the use of USB devices.

“We are in the process, now, that if somebody comes in, [inserts a flash drive], and we can catch [the device] on the computer, at that time, our assumption is that computer is infected,” said Goodwin. “Then our actions are to remove that danger, or that threat from the network, which means, that computer is gong to be taken offline until such time that we can figure out whether or not an infection actually occurred and eradicate that infection so that the computer is safe to put back in the network. That is an impact to the mission, because, now, that computer is down, for whoever has to use that computer.”

The following devices including battery charging are banned from connecting to ONE-NET and other Department of the Navy (DoN) networks:

• Thumb drives, USB flash drives, memory sticks, and other flash storage devices.

• iPods and Sony PSPs.

• Kindle and Sony eBook Readers.

• Personal phones or government-issued cell phones.

• Cameras and camcorders.

• Flash media card readers.

The use and connection of any of these devices on ONE-NET and other DoN networks are direct violations of DoD, DoN and Commander, Naval Network and Warfare Command (COMNAVNETWARCOM) policies.

COMNAVNETWARCOM released ONE-NET Information Bulletin 08B to allow the use of external hard drives provided that specific implementation procedures and operational requirements are met, such as U.S. General Services Administration (GSA) approved hard drives, registered at the Local Network Service Center (LNSC), free of third-party software.

Users are not to purchase a removable hard drive without first contacting your information assurance officer or manager for details.

Commands utilizing external hard disk drives (HDD) should immediately contact the ONE-NET Enterprise Service Desk to ensure devices meet ONE-NET standards. External HDD not registered with the LNSC will be seen as rogue devices in violation of the policy.

Additionally, COMNAVNETWARCOM issued ONE-NET Information Advisory 02-09 that states, “The following penalties apply for ONE-NET users who are found in violation of the policy:

• For a first offense, the user’s account will be immediately disabled and remain disabled until the user’s commanding officer or officer in charge has provided authorization for the Theater Network Operations and Security Center (TNOSC) to enable the account.

• For a second offense, the user’s account will be immediately disabled and reported to NAVNETWARCOM.”

In cases of malware infection, classified or personally identifiable information incidents, involvement of the command security manager, Navy Criminal Investigative Services or Navy Cyber Defense Operations Command is required. This in turn may cause the ONE-NET computer to be quarantined, confiscated, or reimaged to contain the incident for further analysis.

All users are reminded that your ONE-NET user account is not a right. Your ONE-NET user account and your ONE-NET computer are government provided tools.

Contact the ONE-NET service desk at 243-3883 or your command’s security manager for more information.

I bet Matthew Stephan is gonna be pissed when he sees that this Mark Elrod guy pretty much "wrote" the exact same, word for word, article that he did last year...

why not just walk around with epoxy and squirt a little into each USB port? Problem solved. Where do I collect my $1M for all the savings I just generated with about 12 seconds of thought?

Posted By Hoff on 02-19-2011 12:12 AM
I bet Matthew Stephan is gonna be pissed when he sees that this Mark Elrod guy pretty much "wrote" the exact same, word for word, article that he did last year...

LOL!  That's pretty funny.

I see a lot of people making jokes and excuses, and overall not taking this seriously. Cyber Security is very real. People complain about their inability to do their jobs because security rules are too stringent. Your jobs often times do not change, the operational procedures "for the most part" stay the same.
A number of years ago this wonderful tool was introduced to help you get your work done, behold, the computer. Along the years this tool has been modified and upgraded and the technology has changed, and so did the policies that govern these amazing machines. However, it was decided that this was a tool for the masses, and with that came the age of cyber malice. Crackers, script kiddies, and idiots all have their own way of doing damage to a computer system.
Recently there has been a lot of publicity on the organized crime of the internet. LULZSEC and Anonymous and countless other un-named groups are joining forces to take down the services of SONY, FBI Partner Organizations, U.S. Senate, CIA, Sega, EVE Online Gaming Community, and many others.
Do we think that this is all a joke now?
Would you rather your job was a little more difficult because you had to burn your informaiton to disc instead of putting on a USB device, or would rather your job was impossible because you or your security team wasn't concerned about the very real dangers of the internet?
You're not being asked for that much, follow the rules, or don't use the govenment owned equipment......simple enough.

I like your last sentence. It brings it back to basics and like you said, "simple enough."