Commerce’s Dave Jarrell says that VA’s data losses prompted the department to restrict uses of USB drives and to ban their use by census takers.
Sep 10 2007

Closed-Door Policy

USB flash drives are fast and easy, but agencies find they need to set guidelines and enforce security measures before letting workers use them to transport data.

It began as a simple drug bust but quickly turned into a security crisis. When the Los Alamos, N.M., police raided a suspected crystal meth lab in October 2006, they discovered a USB thumb drive containing classified data from nearby Los Alamos National Laboratories. The drive belonged to 22-year-old Jessica Lynn Quintana, a former lab contractor who worked as an archivist.

Quintana, who claimed she took work home on the drive and simply forgot about it, pleaded guilty to knowingly removing classified information from the weapons lab last May. She faces a possible jail sentence of one year and fines of $100,000.

After the incident, technicians at Los Alamos disabled the USB ports on machines handling sensitive data using software, hardware locks and in some cases, super glue to gum up the ports.

“We went through a rigorous program to identify all types of ports that were unnecessary, then blocked them using hardware, software and epoxy,” says lab spokesman Kevin Roark. “We also put in a wide variety of administrative controls that record when a port has been activated, so at least we’d have a forensic trail if a person decided to do something criminal.”

The lab’s case is just one of many involving lost or stolen portable devices that contained sensitive federal data. The biggest data loss occurred in May 2006, when thieves broke into the home of a Veterans Affairs Department employee and stole a notebook containing the personal information of 26.5 million veterans. (It has since been recovered — so far to no one’s detriment.)

Gone … in a Flash

But the threat from thumb or flash drives, which can hold up to 8 gigabytes of data, may be even greater, in part because these cigarette-lighter-size devices are easy to lose and simple to conceal.

“The overwhelming success of flash drives has created a challenge for data management,” says Steve Swenson, product manager for Imation’s line of flash drives. “Everything users like about it — that it’s fast, small, easy to use and doesn’t require special software — increases its chances of being a security risk.”

Similarly, portable media players, such as the Apple iPod, can be used to siphon even larger amounts of data from hard drives — an exploit known as pod slurping. Both types of drives provide another route for viruses, spyware and other malicious code to infect an organization’s network, as employees shuttle the devices between work systems and insecure home PCs.

After the VA incident, the Office of Management and Budget issued Memorandum 06-16, which mandates the use of encryption on all mobile devices, stricter methods of authenticating remote users and tighter controls over who may access sensitive data. But how each agency implements these security requirements can vary wildly.

Although some agencies have chosen to ban the use of USB drives, that’s not necessarily the best option. There are ways to use thumb drives safely, provided you follow precautions.

1 Set Policies

The road to flash drive security starts at the top. Senior management must set policies regarding how agencies handle sensitive data, who can access it and what devices they’re allowed to use, then provide ample training in how to follow the rules, according to Marion Cody, chief information security officer for the Environmental Protection Agency.

“The EPA is fortunate in having a robust set of policies and procedures that explain how implementers are supposed to do things,” Cody notes. “When you have these things written out, it leaves little to question.”

2 Audit and Enforce

Once policies are in place, you need to ensure they’re followed. This can range from physical inspections of employee workstations to virtual audits using network-based applications that follow data as it moves through an organization.

But enforcing the policies can be an enormous challenge, especially when an agency’s workforce is spread across the country, says Prabhat Agarwal, manager of the information security analysis program for Input in Reston, Va.

“People in the field have their own way of doing things,” says Agarwal. “It’s hard to enforce policies across the board in tremendously vast organizations like these.”

Many agencies have had to discipline employees for not following department policies on safeguarding data — some more dramatically than others.

“We put our policies in place, trained all our personnel, then cracked the whip,” says Herb Armstrong, director of information technology for the Navy’s Mine Warfare Training Center in Ingleside, Texas. “Usually the first time you chop off someone’s head, people start to take notice.”

3 Limit Access

One key to mitigating risk is to limit the amount and type of information that employees are able to access, says Dave Jarrell, manager of the Commerce Department’s Critical Infrastructure Protection Program. Jarrell’s team oversees information security for the department’s agencies, including the Census Bureau, National Institute of Standards and Technology, and Patent and Trademark Office.

React quickly to spills

Even with safeguards, data accidents will happen. Notify the necessary parties both withinand outside your agency, and follow the guidelines in NIST Special Publication 800-53 (

) and OMB’s breach guidance (



Over the last year, Jarrell says, the department has reduced the amount of sensitive data that census takers bring with them into the field. VA’s data losses prompted the department to restrict uses of USB drives and to ban them for use by census takers. Census takers carry notebooks with encrypted hard drives.

The Postal Service has developed an Active Directory-based identity management system to manage access to sensitive data, says Chuck McGann, manager of national information system security for USPS in Raleigh, N.C. Internal policies limit the personal information users can load on the portable drives, and enterprise-level security software scans each drive to prevent accidental infections.

“We strive to let our people do their jobs, but we don’t want to give them more [access] rights than they need,” notes Robert Najman, USPS manager of technical services. “The Postal Service is a trusted brand, and we go to extreme measures to maintain that trust.”

4 Encrypt Your Data

If you put sensitive data on a USB drive, OMB rules require that it be encrypted. If the drive is lost or stolen, the data can’t be accessed without the right password. But not all encryption schemes are created equal.

For example, the Postal Service requires its 150,000 employees to use Kingston DataTraveler Secure drives, which are protected by 256-bit Advanced Encryption Standard algorithms. A chip embedded in each 2-gigabyte drive generates a random 255-character key that protects the data, which can be accessed only by a complex password.

The VA took a similar route last spring, when its IT department began distributing Kanguru Solutions drives on a manager-approved basis to users across the department. The Kanguru drives also use hardware-based 256-bit AES.

Software-based encryption can also be used to protect data, but it’s typically less secure, says Brandon Stevens, senior technology manager for Kingston.

The same encryption software must typically reside on both the original machine where the data was stored and the computer it will be used on; if a virus or other malware infects one of those machines, the encryption software could be compromised.

Although it’s possible to crack even hardware-based 256-bit AES, it would require high-level algorithms and supercomputers working for several months, notes Stevens. By default, users of Kingston drives have 10 chances to enter their passwords correctly. After that, a drive reformats itself, obliterating any sensitive data on it. Kanguru drives flush the content after seven failed attempts.

Of course, agencies are expected to have secure backups of the data elsewhere. “The information should reside somewhere else that’s more static and secure,” Stevens says. “Our device is merely your Brinks armored truck to get the data from point A to point B securely.”

5 Manage Your Ports

Even using encryption and identity management software won’t make your USB drives 100 percent secure. For example, both USPS and Commerce rely on employees to not bring their own thumb drives to work, and on managers to catch them when they do. That level of risk is unacceptable to military organizations, says the Navy’s Armstrong.

To ensure that no one plugs in their own thumb drives, the Mine Warfare Training Center uses Safend Auditor and Safend Protector to monitor the network and detect attempts to connect rogue devices. The center has set rules for the app to monitor every port on every workstation and lock out unauthorized devices. It can also audit each port and record what devices are in use or be set to allow only specific devices, such as an encrypted drive issued to particular employees.

As an added precaution, the center banned personnel from bringing home any personally identifiable information, which caused a lot of grumbling at first, says Armstrong. “I did not make a lot of friends when I started enforcing this policy,” he says. “People complained it would take longer to get their work done, so the captain said, ‘Fine, we’ll give you more time.’ Lo and behold, people started finishing their work in the time span they had available. Funny how that works out.”

Better Safe Than Leaky

Armstrong says the center’s policies may sound draconian, but it hasn’t had a data spill since implementing them two years ago. He adds that anything that will keep data secure — even if it involves gluing shut USB ports — is worth it in the long run.

“For every legitimate individual out there, there are 20 people trying to break into your network,” he says. “That makes a dim view of the world, but you have to maintain that mindset. If it keeps you from having a spill, it’s not paranoia, it’s just survival.”


Photo: Jay L. Clendenin