Last month, Reality Leigh Winner, a 25-year-old National Security Agency contractor and Air Force veteran, pleaded not guilty to one count of “willful retention and transmission of national defense information” after authorities accused her of disseminating a classified intelligence report to the news media.
Jennifer Solari, an assistant United States attorney, said in a court hearing that Winner allegedly “plugged a peculiar query into an internet search engine last year: ‘Do top secret computers detect when flash drives are inserted?’” according to The New York Times.
NBC News reports: “The government alleges that Winner did just that — insert a flash drive into a top secret computer while she worked in the Air Force. The drive, or any information that was downloaded, has not been located.”
Although Winner was reportedly caught by the FBI because of the way a scanned document had been folded or creased (thus revealing that it had been printed), the disclosure about Winner’s alleged interest in USB flash drives reveals an ongoing flaw in government IT security.
Although agencies may ban the use of USB flash drives to prevent the theft and dissemination of classified information, it might be impossible to block them completely from federal IT environments. How can agencies ensure that their IT systems and data are as protected as possible from unauthorized USB flash drives?
The short answer: There are ways agencies can go about this, some more sophisticated than others.
1. Network and Behavioral Monitoring Can Track Employees
The NSA and many other agencies routinely track the activity of users on work-issued computers and devices.
According to The Washington Post: “Employee monitoring is so extensive in American society that it may be difficult for workers to know just how far they might have to go to avoid it. It is a $200 million-a-year industry, according to a study last year by 451 Research, a technology research firm, and is estimated to be worth $500 million by 2020.”
The Post notes that monitoring techniques are now quite advanced, and can track not just which websites users visit, “but also when they plug in USB storage devices, move or copy files, and what programs they run, privacy experts say.”
Veriato even “allows bosses to play back videos of what took place on a user’s screen and can collect ‘communications activity’ both on traditional email programs as well as ‘popular webmail services.’”
Will Ash, director of security for the U.S. public sector at Cisco Systems, says that modern security “needs to focus on architectural end-to-end network protection; from the data center, to the growing number of endpoint devices and sensors that are being connected, all the way in to the cloud.”
Ash advises that “keeping security analysts, teams, and the architectural components themselves updated on the latest threat intelligence, event information, context and policy is extremely important.”
“In addition to an automated architecture, agencies will benefit from real-time monitoring capabilities to understand network activities and identify anomalous user behavior, greatly reducing threats such as an insider with a flash drive whose intentions could pose a security risk,” Ash says.
2. Change BIOS Settings
Brien Posey, a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS, notes that a common technique for preventing use of USB storage devices is to “disable USB ports at the BIOS level.”
BIOS (Basic Input Output System) contains the settings responsible for controlling the basic functions of a computer.
The website LockerGnome notes that administrators can change the BIOS settings for each workstation and then assign passwords to the BIOS settings “to prevent non-admins from modifying them.”
Posey notes that this approach can have some pitfalls. “First, not all systems offer the option of disabling USB ports,” he notes. “The other drawback is that disabling USB ports is an all-or-nothing proposition. If you disable a system's USB ports, you will prevent unauthorized use of USB storage devices, but at the same time you will also prevent them from using legitimate USB-based keyboards, mice or printers.”
3. Use Software and Rewrite Code to Block USB Devices
Specific pieces of software can block USB flash drives from accessing networks and systems. For example, Check Point’s Pointsec Protector software “uses combinations of whitelists and blacklists to block access to devices and files without any legitimate business purpose, while still allowing users access to critical tools, applications and data defined by brand, model and file type,” according to TechTarget.
LockerGnome adds that users could disable “write access or write privileges to USB ports via Windows Registry so that data cannot be transferred to a connected device (and thus rendering them as read-only).”
Admins can also completely disable “users from attaching and reading USB storage devices by editing values of certain registry entries or adding new registry keys.” Similarly, the site notes, they can disable USB ports “from the Device Manager function of Windows or uninstalling the USB mass storage drivers completely.”
Additionally, network admins can create a group policy “that disables read and write access to USB devices attached to computers within the network.” A more last-ditch effort might be “unplugging the built-in USB ports from the PC card or bracket within the motherboard to prevent users from connecting to this common PC component.”
4. The Epoxy Route for Blocking USB Drives
Posey notes that “one of the oldest and most effective techniques for controlling the use of USB storage devices involves pumping the workstation’s USB ports full of epoxy. This makes it physically impossible for a user to plug a USB device into his or her workstation.”
However, this low-tech approach has serious downsides, he notes. First, blocking ports means that IT staff members cannot use external hard drives or CD drives that connect to computers via USB to reinstall an operating system or troubleshoot a legitimate problem. “The help desk staff still has the option of temporarily installing an IDE drive, but this is far more time consuming, since it involves opening the PC’s case,” he says. “It is usually much more efficient to plug a portable drive into a USB port.”
Plus, tampering with a computer’s USB ports usually voids the system’s warranty, which is another strong argument for not going this route. “I have also heard unconfirmed stories of technicians turning on a PC before the epoxy was completely dry and causing damage to the system board as a result,” he writes.