Pentagon banning flash drives...

[Linen0ise]

Thank God for camera phones for those 1-page screenshots on a SIPRNet and NIPRNet connected secured card accessed workstation. Thank Jesus for LinuxBoot cd's with usb turned on to read NTFS Documents and Settings. Thank God for bored and lazy sheep in the military who care less. Thank Microsoft for reintroducing virii and bugs that were addressed in older distrubitions but forgotten in newer versions so security experts can pay their rent for the month

[nihil]

As NukEvil says:

Flash drives/other removable media have nothing to do with their current problem.Stupidity seems to be the major issue. Another issue is a lack of adherence to policies (if they even have any) regarding basic system protection (weak/blank passwords, etc)...

This is a much more fundamental and deep seated problem that has nothing to do with technology or operating systems. In fact, to suggest that it has is to make an even greater mistake of suggesting that technology can provide the solution. Which, of itself, it cannot.

This is about:

1. A security model.
2. Security policies.
3. Security processes to enforce the policies.
4. Security procedures to support the processes.
5. Governance & management of the security system.

Given that there is generally a high turnover of personel in military and government environments it is vital that there is an appropriate succession and training mechanism to prevent the whole system being gradually degraded.

[brokencrow]

This is about:

1. A...model.
2. ...policies.
3. ...processes to enforce...policies.
4. ...procedures to support...processes.
5. Governance & management of...???

The tech is changing every week or every month. Code is inherently
insecure. Human beings are...sinners. Hardware's spread from here
to kingdom come and tied to some database, now tied to some other
database. And the newest 'model' is...a cloud?

Noam Eppel is right...security is absurd. CYA. No one else will.

[Linen0ise]

@ phernandez and The-Spec,

Correct me if I am wrong, but I seem to recall that there was a scandal about flash drives when we first went into Iraq?

You mean when soldiers film the battlefield operations meant to stay secret only to have the young soldier remove the 8GB micro-sd card. I bet 99% of them don't know what a stamp flash drive look like. You could easily walk past Gomer Pile.

http://counterterrorismblog.org/

Who is watching the watchers? funny stuff

[nihil]

You mean when soldiers film the battlefield operations meant to stay secret only to have the young soldier remove the 8GB micro-sd card.

No, this was just kit around offices etc where they employed locals as janitors and support staff. They just stole it because it was easy pickings?

Linen0ise

Roaches have eaten your Avatar man!!!!!!

Time for you to use your "RAID" knowledge huh?

[chaosclown]

LOL that was a good one

[D0pp139an93r]

Flash drives are allowed on certain networks, banned on others. The Federal government does not have a global policy on this, although there are numerous "recommendations."

My network bans flash drives and most writeable media. I almost thought that they were concerned about security, until I discovered that Cisco's Port Security is actually considered to be a security measure, and not just a way to piss off users and techs.

[576869746568617]

It should have been done alot sooner.

While they are very convenient, they pose a tremendous risk to both the OPSEC and CIA of a network.

The previous incidents in both Iraq and Afghanistan should have outlined to DoD the tremendous risk that they posed to both OPSEC and CIA.

At the time of those incidents, their main concern was an OPSEC one - controlling the spillage of classified matterial and PHI that were leaked to outside sources. They were too nearsighted to see the other risks to CIA.

In the years since those incidents, there have been numerous exploits and proof of concept attacks demonstrated at both BlackHat and DEFCON concerning these devices.

The blame rests with the agency CIO's and DAA's who did not formulate effective countermeasures when conducting their risk analysis.

It also rests with the IA managers, department managers, and commanders at every level for not ensuring that the end-users had the proper training needed to mitigate the risk.

Unfortunately, there is no patch for human stupidity.

[D0pp139an93r]

It should have been done alot sooner.

While they are very convient, they pose a tremendous risk to both the OPSEC and CIA of a network.

The previous incidents in both Iraq and Afghanistan should have outlined to DoD the tremendous risk that they posed to both OPSEC and CIA.

At the time of those incidents, their main concern was an OPSEC one - controlling the spillage of classified matterial and PHI that were leaked to outside sources. They were too nearsighted to see the other risks to CIA.

In the years since those incidents, there have been numerous exploits and proof of concept attacks demonstrated at both BlackHat and DEFCON concerning these devices.

The blame rests with the agency CIO's and DAA's who did not formulate effective countermeasures when conducting their risk analysis.

It also rests with the IA managers, department managers, and commanders at every level for not ensuring that the end-users had the proper training needed to mitigate the risk.

Unfortunately, there is no patch for human stupidity.

Without pointing at any specific individuals, I have met numerous Information Security Officers, both within the Federal sector, and many private sector corporations. None have really impressed me. Most seem to lack any technical aptitude at all.

[576869746568617]

Unfortunately, that seems to be a very common occurance. It's both funny and disturbing how most commands treat duty positions like the IASO/ISSO.

Most that I have seen view it as an inconvience...just another appointment memo that has to be filled out for inspection purposes. They just arbitrarily put a name on a memo, and that's it. They don't even think about the individual's qualification to actually perform the job.

Hopefully, with the latest revision of DoD Directive 8570.1, some of this will change. Finally, they are requiring that all personnel in any IA related position complete not just DoD and component specific training, but also obtain an industry standard certification such as CompTIA's Security+ or ISC2's CISSP.

Not only do they have to get certified, but they are also now required to maintain the certification through continuing education and re-certification if needed.

While this is not a cure-all, it is definately a step in the right direction.