Thursday, May 28, 2015

USB devices, fitness bands have no place on network

by James Butler
JBER Cybersecurity Office


5/28/2015 - JOINT BASE ELMENDORF-RICHARDSON, Alaska -- Did you know USB flash memory storage devices are not authorized for use on any Air Force information network?

In November 2008, U.S. Strategic Command banned the use of USB flash memory storage devices on the AFIN.

These devices include thumb drives, USB hard drives, PDAs, mobile phones, smart phones/watches, tablets/phablets, Fitbits, audio players, digital cameras, Go-Pros and e-readers.

This order applies to all active duty personnel, civilians, and contractors.

These devices threaten the base network by exposing it to vulnerabilities which could critically impact the mission of every unit on JBER.

The most common reasons for violating this network policy are simple - "I didn't know," "I forgot," or "I was only charging my phone/audio player."

Regardless of the reason, each violation subjects the base network to vulnerabilities like insider threats, recording/photographing/copying sensitive or classified data, data leakage, remote listening to sensitive or classified briefings, self-propagating malicious software, or infected firmware that can open command windows to download and install malicious software.

So what happens if you violate network policy and plug in these USB devices into your computer system?
It will result in a USB violation.

These violations are detected by means of network scanning.

Network-scanning software can detect when a USB device is plugged into a networked computer and even identifies the user logged-in to that system.
Scan results are sent to the base Cybersecurity Office for investigation.

When an unauthorized device is found on the network, the user's account will be disabled immediately and the respective unit commander or equivalent will be notified.

Prior to re-enabling the account, the user must re-accomplish DoD Cyber-Awareness training and complete Portable Electronic Device and Removable Storage Media training.

The user's commander must direct an investigation by the unit information system security officer and base Cybersecurity Office.

They will document findings, collect the user's training certificates, and coordinate with the Cybersecurity Office for network access approval by the 673d Communications Squadron commander.

The direct result of these violations is that they hinder productivity and take time away from mission projects - impacting the unit's mission through the investigation process.

Most network users may not realize that USB violations are, in fact, a violation of the UCMJ.

According to the 673d Air Base Wing Judge Advocate Office, a person responsible for a USB violation can be criminally charged with dereliction of duty under Article 92(3) of the UCMJ.

This may result in an Article 15 non-judicial punishment or other administrative actions.

Finally, disclosure of a USB violation must be reported by the user on security clearance applications - which may impact the issuance of the user's security clearance.

  So how can you officially use a USB flash memory storage device on your system without exposing the network to vulnerabilities or violating policy?
Your first step is to contact your unit ISSO.

He will coordinate your mission requirement to utilize the device with the Base Cybersecurity Office.

Only media devices pre-approved by the Base Cybersecurity Office are authorized to be connected to the network.

Users can contact their unit ISSOs for further guidance.

Don't be the person who violated the directive, plugged in an unauthorized USB device, and enabled a third party to gather intelligence from JBER's war-fighting networks.

No comments:

Post a Comment