Last year, the U.S. Department of Defense (DoD) temporarily banned the use of thumb drives and other removable storage devices because viruses, worms and malware were uploaded to their network.
Think about it. Thumb drives – tiny and able to enormous amounts of data – are ideal for moving information. Up until the ban, the CIO of the Navy regularly downloaded presentations to them. Medical records were stored on them while wounded troops were transferred from field hospitals to the United States. Aircraft and vehicle technicians housed their manuals on them. Thumb drives –convenient. Yet at the time, mostly unprotected.
Cut to now. The DoD, which should be commended for its proactive efforts to monitor for viruses and its methodical approach to reintroduce USB drives, is expected to issue new guidelines for the use of USB thumb drives before the end of the year.
It is no secret that the guidelines will address the three aspects of security– management, safety and education. And in a recent conversation with William Mathews of Defense News, I shared McAfee’s – which currently provides comprehensive host system technology for 7 million DoD assets under the HBSS program – advice to create multiple layers of built-in defense for thumb drives. In preparation for the USB ban lift,
McAfee Device Control with McAfee ePolicy Orchestrator (ePO) management, which provides the ability to closely control USB drives at an enterprise level, was recently added to HBSS.
First, we recommend that the management efforts involve only “trusted products” sold by “trusted suppliers” in the process. In this case, providers vetted by the DoD Data-at-Rest-Tiger Team (DARTT). Second, USB thumb drives should have the following layers of protection, creating multi-layers of safety:
- Scan data for malware, as data is entering and exiting
- Built-in encryption chips that covert everything to code and can be unencrypted only by a correct password, the right fingerprint or both
- Tamper-proof, so information self-destructs in anyone tries to defeat the encryption or disassemble the drive
- Assign a unique serial number to each issued drive so network operators may set specific restrictions on what each drive will and won’t do
Thirdly, education must take place. Users need to understand how security helps them be more productive and empower them to work safely. McAfee Device Control includes capabilities to help accelerate this education process through intelligent notification and feedback directly to users as they make use of USB devices. By taking an educated approach, the DoD can coach their users on the right steps to keep data safe.