NSA's lax ban on USB drives may have contributed to PRISM leaks

If Edward Snowden indeed used a thumb drive to steal classified files off a server, the NSA needs to revisit its security procedures

News about the NSA and FBI's surveillance programs doesn't just have privacy advocates wringing their hands in consternation; IT security analysts have raised the critical question as to how a 29-year-old government contractor was able to surreptitiously abscond with sensitive classified documents, share them with two media outlets, and escape the country unmolested.

It turns out Edward Snowden didn't need to employ any clever hacking tricks to carry out the data heist. He didn't have to lower himself into a secured server room via the air ducts, deftly avoiding infrared beams, to snag a disc containing the files. He simply plugged in a USB thumb drive, snagged the files off a server, and smuggled the device out of the NSA office in Hawaii, an unnamed investigator told the Los Angeles Times.

This bit of trivia should concern any IT admin worth his or her salt, because USBs have long been the bane of security professionals: They provide a perfect mechanism for malicious insiders to make off with sensitive data, and they are a tool for infecting target networks with all manner of nasty malware. (Any USB device poses a potential security threat, even an innocent-looking mouse.)

Ironically, the NSA is aware of the threat to the point that it has instituted a ban on thumb drives. The problem: "There are always exceptions" to the ban, a former NSA official told the Los Angeles Times. "There are people [particularly network admins] who need to use a thumb drive, and they have special permission. But when you use one, people always look at you funny."

Remember, we're talking about the NSA here, an agency charged with protecting sensitive information -- moreso than many of us realized. Yet not only did the NSA enable a third-party contractor to access and copy classified files to his own personal, portable storage device, but his actions didn't trigger any automated alerts.

There are well-documented ways to prevent this sort of data theft:

  • The City of Columbus uses classification software from Intelligent ID that encrypts data during file transfer; it can also be configured to encrypt data for a specific type of user, department, or even for specific file types. If someone wants to read the files, they'll need the necessary encryption key.
  • Turkey-based wireless carrier Turkcell classifies every file and adds encryption when employees use thumb drives; the company also uses a unique alerting system to warn users that they are about to copy sensitive data. If there is a situation where a file must be copied, the employee calls the help desk for authorization based on job requirements and manager approval.
  • Cigna uses Verdasys Digital Guardian software to monitor all ports and encrypt data transfers. When employees try to transfer files to a thumb drive, they are prompted to type in the reasons for the transfer. The data they actually transferred is compared to those reasons.
  • The University of Alabama Birmingham Health System uses DeviceLock to monitor ports and encrypt data. Whereas staff and students are allowed to use thumb drives, all file transfers are monitored and recorded.

The details behind how Snowden made off with classified documents are still hazy. Perhaps Snowden was able to carry out the deed by getting his hands on login credentials belonging to someone high up the chain with the authority to copy the files. Perhaps the NSA embraces the all-too common folly of granting users more access privileges than they need.

The public may never know the full details behind how a third-party consultant managed to pull off a security breach of this magnitude against a government agency charged with protecting the nation. Here's hoping, though, that in addition to scrutinizing the constitutionality of the NSA's surveillance efforts, lawmakers will also direct the NSA to assess its IT security infrastructure and policies to prevent these types of leaks -- or worse.

This story, "NSA's lax ban on USB drives may have contributed to PRISM leaks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform