Count the cost

A recent CIO article, "Ten steps for mitigating data risk during a merger, brought back memories. In 1998, the company I worked for, TIS, was acquired by Network Associates. One of my last acts as TIS' CISO was to instruct the IT folks to keep firewall separation until they could get out to Santa Clara and install Gauntlet firewalls there.

You see, I rightly assumed that our network security postures were mismatched. Network Associates had only been an antivirus company (McAfee) and a packer sniffer company (Network General) glued together by money. It wasn't that I didn't think they cared about Internet security. I just thought that they had security tunnel vision. I also thought we knew more than they did about the subject and so had tighter controls in place.

A related story needs some background. In mid-November the United States Department of Defense suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets. You can read the article. It sounds like a smart move. Someone where I work pointed out that it really was untenable. Operational requirements in many organizations require moving data from one network to another by thumb drive.
(A comment on an Army blog will come as no surprise. "This prohibition is now wide spread. We had it at Ft McPherson over a year ago. The easiest work-around is to e-mail files to/from each other and to outside (yahoo, msn, g-mail). For briefs, e-mail them to yourselves, then log onto the conference computer and get you own mail." I predict bigger problems to come from these work-arounds. The Law of Unintended Consequences. But, I digress.)
Given the order and the probably common reaction as in the above example, the Air Force has taken the next step necessary to maintain network integrity. Air Force Unplugs Bases' Internet Connections.

I think the USB-ban was the wrong move. It looked like it was an attempt to curtain malware propagation—the Wired article cited said "to stop a worm assault"—. There are other things they could have done. If it was intended to fight a different problem, say memory sticks with sensitive data showing up in Afghan street markets, then there are other mitigations that could have been effective.

Given that the policy was changed, the recent action by the Air Force was the right one. You know the adage, "Security is a chain, and only as strong as its weakest link." Both small and large organizations can learn from this. First, think through carefully the impact to your mission or business when implementing a policy change (even if your policy is not written down). Then, enforce it.

1 comment:

Fred Avolio said...

Dave Kennedy and William Murray just blogged about Tiny Media in which they touch on the thumb drive ban.