Data-at-rest team takes on USB drives

A crisis in the security of removable media two years ago spurred the Defense Department’s chief information officer to create the Data-at-Rest Tiger Team (DARTT). Then a major malware attack in November 2008 led DOD officials to declare a moratorium on the use of USB storage devices and other removable media, and DARTT is being called on again to help solve the problem and provide confidence in the security and usability of data at rest.

Two years ago, a reporter from the Los Angeles Times bought a USB storage device at a bazaar just outside Bagram Air Base in Afghanistan. The device appeared to hold classified intelligence data. The incident, coupled with the loss of a Veterans Affairs Department laptop PC carrying veterans’ health records, led DOD CIO John Grimes to create DARTT. The group now has representatives from 20 DOD component organizations, 18 other federal agencies and NATO.

DARTT has been a resounding success — and not just for DOD. Other federal agencies also have benefited. In June 2007, DOD, the General Services Administration and the Office of Management and Budget issued blanket purchase agreements for 10 data protection products certified by DARTT. As of December 2008, federal agencies had bought about $112 million worth of information security products at an actual cost of about $19 million through DOD’s Enterprise Software Initiative and GSA’s SmartBuy program, said David Hollis, the DARTT program manager.

Now the group is facing another challenge: It must come up with a certification for removable storage devices so they can once again be used on DOD computers. After the malware attack spread through DOD’s networks last November, the Joint Task Force-Global Network Operations banned USB storage devices. “Over 40 percent of all viruses and worms are transferred from one computer to another by removable media like thumb drives,” states an Air Force memo notifying personnel about the restriction.

The ban has created a hardship for many network users who have limited connectivity to the Unclassified but Sensitive IP Router Network and the Secret IP Router Network because of low or unreliable bandwidth. Those users depended on removable media — especially USB storage devices — to move data between systems. DARTT is now in the process of creating a certification standard that will be used to determine which USB products can be connected to DOD computers.

“The [USB] moratorium in DOD will soon be lifted with guidance from DARTT,” said Bryan Glancey, chief technology officer at Mobile Armor, one of the software vendors covered under the Enterprise Software Initiative BPAs. “DARTT is going to be issuing guidance on which USB keys you can use in order to comply.”

DARTT is especially interested in built-in virus scanning for USB storage devices. “I think that retrofitting the products to include the active scanning capability was very critical,” said David Duncan, president of Encryptx, another DARTT-approved encryption vendor.

Encryptx was one of three companies at the FOSE 2009 expo in March that exhibited USB products with active virus scanning. Duncan said the products were scheduled to become available last month. The 1105 Government Information Group, which owns Defense Systems, runs the FOSE trade show.

Many hardware vendors use Encryptx’s SecurFlash to encrypt and protect data on removable devices. USB drives with SecurFlash can be managed using DeviceDefender, a Java-based Web console that audits what files are written to secured thumb drives. DeviceDefender can also be used to enforce security policies on thumb drives. And if a device is stolen, DeviceDefender can remotely erase it when it is inserted into an Internet-connected computer.

Duncan said the DARTT team met with him and other vendors, including representatives of antivirus company McAfee and data-at-rest BPA-holder Rocky Mountain RAM, in December 2008. “The key feedback coming out of that was obviously the need for an antivirus, anti-malware integration within the SecurFlash product and the need for an anti-malware, antivirus scan and capability within DeviceDefender,” Duncan said.

The key to protecting against viruses is to scan files before they are encrypted and written to a removable device. Encryption technology vendors who have discussed DOD’s needs with DARTT are embedding virus scanning into their encryption code. Encryptx now has that capability, and it can be incorporated into firmware on a removable storage device as part of the SecurFlash encryption code.

Encryptx is providing virus scanning separate from encryption so data that doesn’t require encryption can also be protected from malware, Duncan said.

Mobile Armor has developed a similar capability for its KeyArmor product, a thumb drive with built-in encryption and virus scanning that can be remotely erased from a management console.