cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Three ways to avoid threats from ‘device creep’

Level 11

The federal technology landscape has moved from secure desktops and desk phones to the more sprawling environment of smartphones, tablets, personal computers, USB drives and more. The resulting “device creep” can often make it easier for employees to get work done – but it can also increase the potential for security breaches.

Almost half of the federal IT professionals who responded to our cyber survey last year indicated that the data that is most at risk resides on employee or contractor personal computers, followed closely by removable storage tools and government-owned mobile devices.

Here are three things federal IT managers can do to mitigate risks posed by these myriad devices:

1. Develop a suspicious device watch list.

As a federal IT manager, you know which devices are authorized on your network – but, more importantly, you also know which devices are not. Consider developing a list of unapproved devices and have your network monitoring software automatically send alerts when one of them attempts to access the network.

2. Ban USB drives.

The best bet is to ban USB drives completely, but if you’re not willing to go that far, invest in a USB defender tool. A USB defender tool in combination with a security information and event management (SIEM) will allow you to correlate USB events with other potential system usage and/or access violations to alert against malicious insiders.

They can be matched to network logs which help connect malicious activities with a specific USB drive and its user. They can also completely block USB use and user accounts if necessary. This type of tool is a very important component in protecting against USB-related issues.

3. Deploy a secure managed file transfer (MFT) system.

Secure managed file transfer systems can meet your remote storage needs with less risk.

File Transfer Protocol (FTP) used to get a bad rap as being unsecure, but that’s not necessarily the case. Implementing a MFT system can install a high-level of security around FTP, while still allowing employees to access files wherever they may be and from any government-approved device.

MFT systems also provide IT managers with full access to files and folders so they can actively monitor what data is being accessed, when and by whom. What’s more, they eliminate the need for USBs and other types of remote storage devices.

Underlying all of this, of course, is the need to proactively monitor and track all network activity. Security breaches are often accompanied by noticeable changes in network activity – a spike in afterhours traffic here, increased login attempts to access secure information there.

Network monitoring software can alert you to these red flags and allow you to address them before they become major issues. Whatever you do, do not idly sit back and hope to protect your data. Instead, remain ever vigilant and on guard against potential threats, because they can come from many places – and devices.

Find the full article on Government Computer News.

26 Comments
Level 9

Good Read!

I support these ideas.  Another few details to include are:

  • Corporate policy defines exactly what is allowed and what is forbidden.
  • Frequent training of employees to refresh their understanding of acceptable policy.
  • Ensuring your security staff has time assigned to reviewing accesses.  Too often I see security staff whose work loads are too large to accomplish the corporate security needs.
  • Training for your security staff to understand those tools you have made available (your NAC and SIEM systems).
  • Simulations and tests for your security staff that teach them how to recognize violations and suspicious behavior.
MVP
MVP

MFT/encrypted file transfer has been around for awhile especially for financial/payroll related file transfers.  If you are not using it then shame on you.

A suspicious device watchlist while a good idea in theory, can be intensive to monitor for by scanning ports, ARP tables, discovery, and such.  Between MAC addresses that can be spoofed or changed to not having much info available besides an ip address can make it tough to determine what it is. Then the question becomes...is it really what the we think it is ? This challenge exists both in the private, commercial, as well as federal levels.

Good points though.

Level 20

On our airgapped network we don't allow writing to USB devices or burning CD/DVD's.  The trick is having ability to permit some one person to if you want to.

Level 12

Good article joeld​, we have 2 of the 3. The USB issue is still being debated several levels above me.

Great article! I am highly interested on how to implement, as well as uphold, a anti-USB policy. They run rampant at my company. We need to ban them, but oddly enough the sternly worded email isn't working.

MVP
MVP

tinmann0715 Use a AD group policy to shut down the USB ports for certain devices.  Granted it works for windows devices...but it is a start.

Level 17

Very nice Article!  We implimented a no Personal USB Device/Drive policy and offer encrypted USB drives to those who request them. This eliminates the issue of a personal device, and conforms to our Data policy of all data being owned by the institution. So you put the Institution data on the institution device that can be accessed when using our network or devices. The encryption prevents folks from just copying the data to their personal machine (direct file copy) and keeps it safe from anyone else who may be able to gain access to a data stream where they can pick out and try to rebuild the data.

We locked down USB years ago.

And our intrusion guys are on the cutting edge of suspicious devices.  Our new CIO is a Cyber Security Geek and it is amazing the changes he's making.

Like others here, my organization shut down USB ports, and implemented an encryption policy on those not locked down.  I see it as a very good thing for business security.

MVP
MVP

We also have a domain policy which does not allow writing to USB drives. eSATA is my friend.

MVP
MVP

We still allow USB drives. I don't believe we've had any issues to date. All pc's are patched and have anti virus software on them. Not sure if that's enough but so far it seems to work. I'm not sure what the security team are planning.

Level 10

Allow USB but encrypt them.

Level 9

We have never allowed USB drives and it can be a pain sometimes.

Level 11

I would think everyone could still do there job in Federal IT without the use of USB devices, but I could see the hassle there.

Level 13

No USB drive allowed here.  We have policies in place.

Level 14

Great list of musts for all environments.... rschroeder

Well said!!!

Focusing on these at this very moment.

Level 14

Good read. 

Level 9

These are all well thought out recommendations. We do what we can to stem the tide of data flowing out of our network. I do not see an issue at this time but it could pop up at any moment. You just never know who is doing what to get around our corporate policies/procedures...

Good read tho!

Level 13

This is a serious issue in the healthcare industry as well.

Doctors like to get new personal gadgets and then use those gadgets while seeing their patients.  This results in frustrating calls to get devices online, make sure the web interfaces for whatever systems are compatible with the browsers on the personal gadgets (yes, you read that correctly, unfortunately), make sure whatever video call app is working to the doctor's satisfaction, etc.

MVP
MVP

wbrown​, funny you mention this...my former doctor asked me about wireless networks and such before the office put one in.  They didn't have much choice in many aspects of it but wanted some information so that they were better informed.  The good thing is it was a small private practice and my doctor had listened and taken notes.  Gadgets and all..I don't see so many of those these days...mainly laptops and tablets with apps for taking notes and updating records. 

Level 10

Are people using LEM here or a combination of tools. NPM, SAM, IPSLAs?

Nice read.

MVP
MVP

jgrobinette050​ I believe there is a mix of both.  Some people are using a single product while others have various portions of the suite in use.

MVP
MVP

bsciencefiction.tv​, what about those oldschool ps/2 keylogger devices, and similar devices? I thought those old analog-ish devices were not detectable, other than visually...

Level 11

For Linux, you can add a line to a modprobe.conf.d file, "install usb-storage /bin/true". You'll still need to remove any other references to "usb-storage" in grub, modprobe, etc, and you may need to rebuild the initramfs file, but after that, your Linux systems shouldn't be able to use USB drives.

Level 11

Doing that will risk flooding your helpdesk with calls from non-technical people who are annoyed that they can no longer read their thumbdrive full of pictures of the grandkids that they brought in to show off at work.