USNA Laptop, USB Flash Drive and External Hard Drive User Policy

advertisement
USNA Laptop, USB Flash Drive and External Hard Drive User Policy
Overview – YOU, YOUR INFORMATION AND ACCESS TO INFORMATION ARE
THE TARGETS
As a U.S. government employee or contractor, you are susceptible to cyber-attacks. Information
Assurance and Information Security practices must be well understood and appropriate security
measures taken to ensure proper safeguarding of information (classified, sensitive, PII or other)
and networks. Vulnerabilities exist and can be exploited by domestic or foreign actors. Many
domestic hackers and foreign governments place a high priority on U.S. government
information. As sensitive information creation, access and storage becomes more portable, the
risk of being a target increases. As you travel, domestically or abroad, the risk is heightened.
Laptop computers and removable media are well-known sources of malware infections and have
been directly tied to the compromise of sensitive information and network intrusions in many
organizations.
Purpose
This policy document sets forth policies on laptop security practices and the authorized use of
unclassified removable media on the Naval Academy Network.
Scope
This policy covers the appropriate use of government furnished laptops and safeguards for all
unclassified removable media at the Naval Academy.
Specific User Responsibilities








Complete annual Information Assurance training
Comply with IT User policies (e.g. use of USB drives, password compliance, authorized
web browsing, reporting of suspicious activity)
Be sensitive to and take measures to protect Personally Identifiable Information (PII)
Properly safeguard laptops and external hard drives from a physical security perspective.
Report loss, damage or compromise of a laptop or external hard drive to the chain of
command and ITSD Security Department
Ensure government furnished laptops and devise are segregated from home and personal
devices
Do not download unauthorized software. If in doubt, check with your IT Rep, CRU or
ITSD Security Department
Comply with USNA’s Acceptable Use Policy and Navy User Agreement
Discussion
General travel security awareness and safeguarding of laptops.
In a world where reliance on information technology continues to grow, domestic and foreign
entities have increased the targeting of electronic devices such as laptops, computers, and
personal media such as Personal Digital Assistants and cell phones.
March 11, 2016
Travelers should report theft, unauthorized or attempted access, damage, loss and evidence of
surreptitious entry of their laptop or portable electronic devices to their chain of command and
the ITSD Security Department.
The following countermeasures can decrease or prevent the loss of sensitive information:
 Leave unnecessary electronic devices at home. Where practical, keep work laptops and
devices segregated from personal laptops and devices
● Use designated “travel laptops” that contain no sensitive information
● Perform a comprehensive anti-virus scan on all electronic devices prior to departure and
upon return (with ITSD Security)
 Ensure proper security settings (e.g. Wi-Fi access, passcodes used) are enabled on laptops
and devices
 Encrypt data, hard drives, and storage devices whenever possible
● Use complex passwords iaw the 14 complex character policy
● Enable login credentials on laptops and other devices
Favorite Tactics – foreign travel Computer Security
Foreign travel increases the risk of loss, theft and foreign intelligence targeting. You can be the
target of a foreign intelligence or security service at any time and any place; however, the
possibility of becoming the target of foreign intelligence activities is greater when you travel
overseas. The foreign intelligence services have better access to you, and their actions are not
restricted within their own country’s borders.
Collection techniques include:
● Bugged hotel rooms or airline cabins
● Intercepts of fax and email transmissions
● Recording of telephone calls/conversations
● Unauthorized access and downloading, including outright theft of hardware and software
● Installation of malicious software
● Intrusions into or searches of hotel rooms, briefcases, luggage, etc.
● Recruitment or substitution of flight attendants
Overseas travelers and the information in their possession are most vulnerable during transit.
Many hotel rooms overseas are under surveillance. In countries with very active
intelligence/security services, everything foreign travelers do (including inside the hotel room)
may be monitored and recorded. Entities can analyze their recorded observations for collecting
information or exploiting personal vulnerabilities (useful for targeting and possible recruitment
approaches). A favored tactic for industrial spies is to attend trade shows and conferences. This
environment allows them to ask questions, including questions that might seem more suspect in a
different environment. One assessment estimated that one in fifty people attending such events
were there specifically to gather intelligence.
March 11, 2016
Whether the person, the information, or both are traveling overseas, information electronically
transmitted over wires or airwaves is vulnerable to foreign intelligence services’ interception and
exploitation. Many countries have sophisticated eavesdropping/intercept technology and are
capable of collecting information we want to protect, especially overseas. Numerous foreign
intelligence services target telephone and fax transmissions. Suspicious entities can easily
intercept voice, fax, cellular, data and video signals. It is the conscientiousness or carelessness
of the individuals responsible that determines whether or not our sensitive information is
protected from unauthorized disclosure.
Security Countermeasures - Consciousness vs. Carelessness
Some commonsense security countermeasures should include:
• Do not publicize travel plans and limit sharing of this information to people who need to
know.
• Conduct pre-travel security briefings (contact ITSD and IPO for more details).
• Maintain control of sensitive information, media, and equipment. Do not pack these types
of articles in checked baggage; carry them with you at all times. Do not leave them
unattended in hotel rooms or stored in hotel safes.
• Keep hotel room doors locked. Note how the room looks when you leave.
• Limit sensitive discussions. Public areas are rarely suitable for discussion of sensitive
information.
• Do not use computer or fax equipment at foreign hotels or business centers for sensitive
matters.
• Ignore or deflect intrusive or suspect inquiries or conversations about professional or
personal matters.
• Keep unwanted sensitive material until it can be disposed of securely.
Methods used to exploit security vulnerabilities
Elicitation: A ploy whereby seemingly normal conversation is contrived to extract intelligence
information of value. Advantages of this technique are: (1) Puts someone at ease to share
information, (2) Difficult to recognize as an intelligence technique, and (3) Easily deniable. This
is an example of social engineering used for exploitation and cyber-attack.
Eavesdropping: Listening to other people’s conversations to gather information. Frequently
employed in social environments where attendees feel comfortable, secure and, therefore, more
likely to talk about themselves or their work. Frequent venues include restaurants, bars, and
public transportation. Eavesdropping can occur in a radius of six to eight seats on public
transportation or ten to twelve feet in other settings. This is an example of social engineering
used for exploitation and cyber-attack.
Technical Eavesdropping: Use of audio and visual devices, usually concealed. This technique is
relatively cost efficient and low risk. Concealed devices can be installed in public and private
facilities, such as hotel rooms, restaurants, offices, and automobiles.
March 11, 2016
Bag Operations: Surreptitious entry into the subject’s hotel room to steal, photograph, or
photocopy documents; steal or copy magnetic media; or download files from laptop computers.
Often conducted or condoned by host government intelligence, security services, or operatives
for local corporations. Frequently done with cooperation of hotel staff.
Surveillance: An act of following the subject to determine contacts and activities. This method is
labor intensive, if done correctly, and not usually employed unless suspected of improper activity
or a target of great interest.
Theft of Information: Stealing of documents, briefcases, laptop computers or sensitive
equipment. Laptop computers are especially vulnerable as they may contain key or
sensitive, private or privileged information. Foreign Service has plausible denial since the
laptop may have been stolen for the value of the laptop rather than the value of information.
This makes it difficult to determine if the information was compromised or not.
Intercepting Electronic Communications: Method of electronically monitoring telephones,
facsimiles, and computers. Subject is particularly vulnerable while communicating to, from or
within foreign countries, as most foreign telecommunications systems cooperate with their
country’s security service. Office, hotel, and portable telephones (including cellular) are key
targets.
How to Protect Yourself










Arrange a pre-travel briefing from ITSD Security Department and IPO.
Maintain physical control of all sensitive documents or equipment at all times. Do not
leave items that would be of value to a foreign intelligence service unattended in hotel
rooms or stored in hotel safes.
Limit sensitive discussions. Hotel rooms or other public places are rarely suitable to
discuss sensitive information.
Do not use computer or facsimile equipment at foreign hotels or business centers for
sensitive matters.
Do not divulge information to anyone not authorized to hear it.
Ignore or deflect intrusive inquiries or conversation regarding business or personal
matters.
Control unwanted material until it can be disposed of securely.
Keep laptop computers as carry-on baggage. Never “check” with other luggage
and, if possible, remove or control storage media.
If secure communications equipment is accessible, use it to discuss business matters.
Report any incidents to your chain of command and ITSD Security Department.
USB Drives and External Hard Drives
In accordance with Department of Defense (DoD) and Department of Navy (DoN) policies and
security requirements, USNA/ITSD policy is to enforce the existing ban on flash drives
connected via USB to the USNA Network. The DoD policy was issued in November 2008.
Most Users changed their habits and complied. New Network software allows ITSD to monitor,
March 11, 2016
inventory and prevent USB flash drive devices from connecting to the Network. External Hard
Drives and External CDROMs will continue to be permitted provided specific exemption and
inventory of the device is completed with ITSD. Examples of removable USB flash media
include thumb drives, digital cameras, smartphones and music players.
Any User attempting to connect to the USNA Network with an unauthorized USB or external
drive will receive a popup notifying the User that the connection was blocked. In this case, the
User should contact his/her IT Representative or the IRC to review the device and determine if it
should be permitted. The IT Representative will collect data regarding the device and enter a
Help Desk ticket. To be approved, devices must comply with the following:
● Be magnetic or optical media (such as CDs or DVDs)
● Cannot have any form of flash memory in the device
● Cannot be a personal device
If you have any questions, please contact your IT Representative or the IRC at
syshelp@usna.edu, x33500.
External hard drives promise almost unlimited storage or back up capacity: for under $100, a
terabyte (TB) of data can be added to a PC or Mac, portable or desktop. That's enough storage
for over 750,000 MP3s or photos, or over 230 DVD-sized movies. There are two types of
external drives. Desktop-style drives, with 3.5-inch mechanisms inside, require a power adapter.
Desktop drives are designed to stay in one place, usually on your work surface at home or at the
office. Notebook-class (aka pocket) hard drives are usually 2.5-inch or 1.8-inch mechanisms
powered through the connector cable without the need for a power adapter.
A 2.5-inch pocket drive can fit in a coat pocket and some pants pockets, while 1.8-inch drives
can easily fit in pants pockets. Desktop-style drives currently top out at 4 Terabytes (TB) per
mechanism, but some drive makers put two to four mechanisms into a drive chassis for more
storage (i.e., two 4 TB drives equal 8 TB of storage). Notebook-style drives come in capacities
up to 1.5 TB, but capacities from 250 GB to 750 GB are more common. External drives connect
to PCs and Macs via their external connectors.
Enforcement
Any person violating this policy may be subject to appropriate administrative and or disciplinary
action based upon the determination of the USNA CIO following the results of investigative
action in accordance with DoD and DON policy.
March 11, 2016
Download