Flash media – small, but deadly … to computer systems

A flash media drive. U.S. Coast Guard photo by Petty Officer 2nd Class Patrick Kelley.

U.S. Coast Guard photo by Petty Officer 2nd Class Patrick Kelley.

Written by Lt. Vignette Kaltsas.

The attraction for using removable flash media.
Removable flash media are small, quick and convenient. They can store up to one terabyte of information, making them convenient for storing and transporting pictures, music and files. Removable flash media include USB thumb drives, compact flash, smart media, secure digital (that’s what the “SD” stands for on the card in your phone and camera), multi media cards and memory sticks. This media is typically used in portable devices such as smart phones (e.g. Android & iPhone), tablets, digital cameras, portable music players, USB thumb drives, etc.

Portable devices can be security threats.
Flash media is one of the biggest threats to the security of the United States and the Coast Guard network. Most notably, a single thumb drive was allegedly responsible for the recent disclosure of classified information from the National Security Agency. Flash media is convenient because it is usually inexpensive to buy and information can be easily transferred onto them. Most flash drives do not contain any kind of encryption or virus protection mechanism, and if lost or stolen, provide complete access to the information stored on the flash media. What if the drive is connected to the CG network? Adversaries use flash media as an effective and efficient way to introduce malicious content to networks they want to attack.

Think twice about what information you save on flash media.
Hundreds of millions of flash media drives are sold every year. I bet many of you have some at home now. In addition to backing up data, these little devices are extremely useful for sharing large files between computers. But there are dangers associated with using these devices. The first is the risk of storing your private data, and then losing or having the device stolen. If it is not encrypted, there goes your data. This risk can be mitigated with the use of a secure flash media device.

USB thumb drives spread viruses.
Malicious viruses can also be spread using flash media devices. The 2010 Iranian nuclear facility Stuxnet computer virus attack was allegedly caused when an unsuspecting scientist plugged a flash media device into the nuclear network. The U.S. Department of Homeland Security ran a test in which staffers dropped flash drives in the parking lot of government and contractor buildings. Sixty percent of folks who picked them up simply plugged them into networked computers. That percentage jumped to 90 percent if the drive had an official logo. As you can see, an attacker does not need to work hard to gain access to a networked system.

Follow Coast Guard Policy.
Coast Guard policy prohibits the use of removable flash media devices such as USB thumb drives, memory sticks, iPods, iPads, tablets, smart phones, cellular phones, MP3 players, cameras, etc., from connecting to Coast Guard networks. By plugging these devices into the Coast Guard network, you place the network at risk of a catastrophic incident. Government-issued cellphones, smart phones or tablets are also prohibited from connecting to the Coast Guard network.

Best Practices concerning Critical Infrastructure Protection.
• Do not connect flash media to the Coast Guard networks.
• Use approved removable media for storing sensitive information (e.g. – encrypted external hard drives).
• Keep antivirus and computer security software up to date if using for telework via CACRAS or to view Coast Guard emails via Outlook Web Access.
• The Coast Guard provides access to free downloadable antivirus for personally owned computers used for work.

Tags: , ,