Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Good Grief!! Security concerns spur agencies
to limit use of thumb drives

http://federaltimes.com/index.php?S=3528598

By COURTNEY MABEUS
May 14, 2008
Two years ago, thumb drives containing sensitive information about U.S. soldiers, interrogators and interrogation methods turned up for sale in a bazaar outside a military base in Bagram, Afghanistan.
Around that same time, a thumb drive containing classified information belonging to the Los Alamos National Laboratory turned up during an unrelated drug raid of a lab contractor’s apartment.
And last month, a contractor who had been working on computers at the San Antonio Marine Corps Reserve Center pleaded guilty to selling a thumb drive containing Social Security numbers and names of military personnel for $500 to an undercover FBI agent posing as a foreign government official.
“Technology changes and it always takes effort to stay abreast of [those] changes and how that affects the processes and plans in place,” said Randall Easter, who oversees encryption standards at the Commerce Department’s National Institutes of Standards and Technology (NIST). “I think that’s just a constant thing that needs to be addressed. That’s the nature of [information technology] — it keeps getting smaller, better and faster.”

There is no blanket policy guiding how agencies should use thumb drives, but since 2006, the Office of Management and Budget has required that sensitive information — including personally identifiable information such as Social Security numbers — be encrypted on any device being removed from a federal office. But because of the drives’ small size, tracking their removal is difficult — most are not found by metal detectors, experts say. In the face of some embarrassing data breaches in recent years, agencies have been left to answer how best to manage their use.
Thumb drives, the successor to floppy disks but with more storage space, work by plugging into USB — Universal Serial Bus — ports now standard on most computers. Gartner, an IT and research firm, expects as many as 180 million of the drives will be sold in the U.S. this year. About 900,000 of those will be sold to federal agencies, said Joseph Unsworth, a research director for the company.
Agencies’ interest has been “pretty slow thus far,” Unsworth said, “and a lot of that has to do with security features.”
Government, he said, “didn’t know how to manage these new types of technology and, while not complex, there haven’t been the solutions available to minimize your risk. … This is something that is going to need to be increasingly watched and governed by government because of the risk.”
The Veterans Affairs and Homeland Security departments, for example, issue and restrict use of thumb drives to only those employees who need them, officials for both departments said. Both departments use software that locks out any unapproved, unencrypted drives, officials said.
Even before the Los Alamos case, employees there were restricted from using personal drives. The lab has since instituted a random search policy that anyone on the campus can be subjected to at any time. It has also reduced the amount of its electronically held classified holdings, said spokesman Kevin Roark.
“All electronic devices are banned, no matter who owns them,” Roark said.
The agency also monitors network downloads to USB ports, he said.
“Either your USB ports are blocked or removed if you don’t need them or, if you do need them, they’re monitored,” Roark said. “There’s always been monitoring of our networks, but now we specifically look for recording devices. It’s much more rigorous now.”
The greater use of encryption and monitoring software is the only way to ensure data security while still allowing for the flexibility thumb drives can provide, said Johannes UIlrich, chief research officer for the SANS Institute, a Maryland information security training firm. Monitoring software and encryption technologies are a first line of defense, he added.
“That’s a fundamental rule here, nobody is trusted,” Ullrich said.
The Nuclear Regulatory Commission, so far, has relied on trust. Chief Information Security Officer Patrick Howard said employees have been allowed to use personal drives but are trained to encrypt any files before they are placed on a removable drive.
“It’s up to them [the employees] when you get right down to it,” Howard said. “You have to trust your employees when it comes to policy.”
And, though the agency has not had any reports of data breaches resulting from a thumb drive, Howard said, there is a sign that that trust is wavering. The agency is in the process of ordering encrypted thumb drives that it will issue to only those employees who need them. Once those drives arrive, the NRC intends to ban use of personal drives and is looking into installing monitoring software, he added.
“That way we have more assurance that it’s the proper encryption and it takes some of the responsibility out of the user’s hands,” Howard said.