Last year, the U.S. Department of Defense (DoD) temporarily banned the use of thumb drives and other removable storage devices because viruses, worms and malware were uploaded to their network.
 
Think about it. Thumb drives – tiny and able to enormous amounts of data – are ideal for moving information. Up until the ban, the CIO of the Navy regularly downloaded presentations to them. Medical records were stored on them while wounded troops were transferred from field hospitals to the United States. Aircraft and vehicle technicians housed their manuals on them. Thumb drives –convenient. Yet at the time, mostly unprotected.
 
Cut to now. The DoD, which should be commended for its proactive efforts to monitor for viruses and its methodical approach to reintroduce USB drives, is expected to issue new guidelines for the use of USB thumb drives before the end of the year. 
 
It is no secret that the guidelines will address the three aspects of security– management, safety and education. And in a recent conversation with William Mathews of Defense News, I shared McAfee’s – which currently provides comprehensive host system technology for  7 million DoD assets under the HBSS program – advice to create multiple layers of built-in defense for thumb drives.  In preparation for the USB ban lift,
McAfee Device Control with McAfee ePolicy Orchestrator (ePO) management, which provides the ability to closely control USB drives at an enterprise level, was recently added to HBSS.

First, we recommend that the management efforts involve only “trusted products” sold by “trusted suppliers” in the process. In this case, providers vetted by the DoD Data-at-Rest-Tiger Team (DARTT).  Second, USB thumb drives should have the following layers of protection, creating multi-layers of safety:     

• Scan data for malware, as data is entering and exiting
• Built-in encryption chips that covert everything to code and can be unencrypted only by a correct password, the right fingerprint or both
• Tamper-proof, so information self-destructs in anyone tries to defeat the encryption or disassemble the drive
• Assign a unique serial number to each issued drive so network operators may set specific restrictions on what each drive will and won’t do

Thirdly, education must take place.  Users need to understand how security helps them be more productive and empower them to work safely. McAfee Device Control includes capabilities to help accelerate this education process through intelligent notification and feedback directly to users as they make use of USB devices.  By taking an educated approach, the DoD can coach their users on the right steps to keep data safe.

The U.S. Army’s secure portal approach may prove more practical than U.S. Marine Corps’ ban

Recently, I had a chance to speak with Federal News Radio about evolving concerns at the Department of Defense (DoD) over network security and, in specific, the U.S. Marine Corps’ decision to enact a one-year ban on social media sites such as Facebook, Twitter and MySpace. 

There’s no question the concerns are legitimate.  For all the positives they can enable, the use of social media channels also raise the likelihood of security breaches occurring in a network setting.

With that said, it remains to be seen whether the Marine Corps’ recently announced ban represents a sustainable policy. 

Whether you refer to them as millennials, digital natives, generation Y, or just “young,”  the reality is that more and more of today’s military personnel grew up with the Internet and have woven social media and Wed 2.0 applications into their daily lives in a way that will be difficult to curtail.

For now, via the one-year ban, the Marine Corps is weighing its options on how to address this challenge — one that it knows is not going to go away.

USMC may find the U.S. Army’s approach to the same conundrum enlightening.

Rather than institute a ban that could be difficult to implement — let alone sustain — the Army took a different approach.  Instead of banning the use of social media sites, they acted to control the means by which personnel can access them. 

In order for a service member site access a social media site from .mil computer, he or she must do so via an approved, secure portal. In addition to keeping all data safe this approach also enables the Army to block sensitive information — such as GPS coordinates or other classified information — from being distributed, whether deliberately or in error.  

So, at this stage, we’ve got one service branch seeking to address the issue via a ban and another finding a solution via a secure access approach.  It will be interesting to see where DoD lands on the issue.  Hopefully, they’ll pursue a model that is close to the latter, rather than the former.

In this context, security is about education. Social media sites are here to stay and a balance is achievable between access and security. With the right policy, people and architecture, military personnel can access social media sites like Facebook, Twitter and MySpace while addressing and safeguarding DoD privacy, network security and bandwidth management issues.

As for McAfee products that can help: McAfee Network Data Loss Prevention (DLP) and McAfee Host Data Loss Prevention both help control flow of sensitive information. Host DLP plugs into the HBSS framework that is being deployed under mandate across all DoD.

McAfee Web Security Appliances and McAfee Email Security Appliances protect against malware being introduced into government networks through mediums such was social media sites.