A now very “ex”-government employee managed to compromise the networks of the US Geological Survey (USGS) after viewing some 9,000 malware-infected pages of porn on his work-issued laptop… and then further spread the contagion by saving images onto an unauthorized USB drive and his Android phone.
No surprise here: the unnamed employee no longer works at the agency, OIG External Affairs Director Nancy DiPaolo told NextGov.
The office of the Inspector General at the US Department of the Interior (DOI) published a redacted memorandum about the incident on 17 October.
The Inspector General said that a forensic investigation following the incident found that the employee had an “extensive history” of visiting porn sites. Many of the 9,000 pages he visited were routed through websites that originated in Russia and contained malware. Unsurprisingly, the phone and USB drive he saved his images to were also infected with malware.
The memo noted that malware is often used to damage or disable computers and/or to steal confidential information while spreading itself far and wide – not exactly the kind of thing you want romping around on government systems.
Put a wrapper on it
Of course, there are ways to protect government/any/your networks and devices from picking up a disease from an adult site – or any other sites, for that matter.
The DOI’s rules explicitly prohibit employees from using its systems for “illegal or inappropriate activities,” including viewing or distribution of pornography. Its Rules of Behavior also prohibit employees from connecting personal devices, such as USB drives and cell phones, to government-issued computers or networks.
Well, that’s all great, if employees actually pay heed. This one clearly did not: he attended annual security training several years prior to detection of his misdeeds, and each of those years, he signed a statement saying that he understood the rules and would abide by them.
Beyond requiring that employees sign off on Rules of Behavior and then trusting that they’ll abide by those rules, there are other ways to protect a network.
From the memo:
An ongoing effort to detect and block known pornographic web sites, and web sites with suspicious origins, will likely enhance preventative countermeasures.
The Inspector General suggested that USGS “enforce a strong blacklist policy” of known, rogue websites or domains.
It’s worth noting, however, that “avoid porn sites” is very selective security advice, as is “avoid dodgy sites”. Blocking access to porn sites specifically will probably help, but crooks and bad actors don’t care what a site does. All they care about is whether or not a site can be compromised, and that can and does include everything from porn sites to brands you’ve heard of (and their ad providers).
So, defense in depth starts with a web filter that’s continuously updated with the latest information about domains being used for phishing and malware distribution, whether they’re porn sites or not.
The Inspector General’s memo pointed to further changes that have taken place at the Earth Resources Observation and Science (the acronym for which is, ironically enough given this context, EROS) Center since the incident in question. Namely, EROS has enhanced its intrusion detection systems (IDS) and firewall technology to “assist in the prevention and detection of rogue websites trying to communicate with government systems,” the memo said.
As far as employees plugging in USB drives goes, the Inspector General has recommended that USGS set a policy banning the use of unauthorized USB devices on all employee computers:
Best practices for malware incident protection include restricting the use of removable media and personally owned mobile devices.
It does indeed. In fact, in May, IBM went so far as to ban all removable storage – unauthorized and authorized alike. The message from IBM’s Chief Information Security Officer (CISO), Shamla Naidoo, boiled down to this: “No more USB drives! Want to move it? Use the network!”
As Paul Ducklin noted at the time, and as Sophos CISO Ross McKerchar heartily seconded, that’s a lot easier said than done. Humans have a tendency to cook up workarounds – workarounds that could be riskier than the thing being banned in the first place. Trying to manage access to USB devices might be a better way to go.
Paul passed on these tips that might spare organizations from outright bans on USBs – bans that could lead to opening that hair-raising Pandora’s box of employee creativity:
- Encrypt all your USB devices. It’s a bit more work than just having a free-for-all, but if you routinely encrypt everything, you never have to worry whether there were any files you forgot about.
- Provide easy-to-use alternatives. If you want to wean your staff off USB storage, give them a cloud-based solution that they’ll want to use, and that’s easy to learn.
- Make everyone aware of the risks. Banning USBs won’t stop data leakage – data copied to the cloud has “gone somewhere else” too, after all – so make sure your staff know why it’s important to care about security.
- Check your logs. Whether you use USBs, cloud drives or both, be sure to check any logs you keep of who’s put what where. If you aren’t going to look at your logs, don’t bother keeping them – never collect any data without a purpose.