Brian St. Marie - Sr. Systems Engineer
An article yesterday in the Washington Post, "Cyber-intruder sparks massive federal response," details how US military computer networks were infected by malware, dubbed Agent.btz, at some point in 2008. An interesting read, it shows how differently the government responded to the incident, compared to the typical response in the civilian world. However, the commonalities are also there, particularly in how the infection began.
As with many outbreaks these days, the infection came from portable media; in this case a USB thumb drive. A favorite for people who travel and professionally network with others, USB thumb drives provide a simple way to transmit large files easily and quickly. However, they very often also act as a vector for all types of computer infections. Once infected, a thumb drive will attempt to infect any computer it comes into contact with, often spreading quickly throughout computer networks.
Infections caused this way are hard to block, as they bypass most of the centralized filters or safeguards on networks which protect the network from the internet. In the case of the US military, their most critical networks are actually physically separated from the internet ("air-gapped" as they call it). This is the ultimate firewall and content filtering system as it completely forbids any communication or transfer of data between the internal network and the public internet. But even the best security defenses do not protect against human action, as we can clearly see from the military's situation. At some point, a US military member used a USB thumb drive in a public internet kiosk in Afghanistan and then re-used that same thumb drive on a computer system connected to the most highly classified US military network. Despite the military policy which forbid this exact scenario, the person clearly decided to act outside the rules. And so the infection began.
The lesson learned here is that no matter how extensive your network protection and safeguards, ultimately the biggest liability any network will have is its users. Users have a vested interest in getting their job done and will use whatever tools at their disposal to do it, even if this means going against a policy which they do not necessarily understand. While it may be possible to completely lock down a network to the extent that a user can never put it at risk, the entire purpose of the network is to help the user do their job with the most efficiency possible. This illustrates the age old challenge in security, risk versus convenience. No matter how secure you try to make a network, you can never make it completely secure and completely usable. Striking the balance between risk and convenience is a challenge for every organization and relies heavily on the proper education of its users. In the case of the military, it would seem their education on security policy is a bit lacking when it comes to the IT world, though that has already begun to change in the aftermath of this incident. Nonetheless, every organization needs to be aware of the liability of improper security training and take regular action to minimize this threat.
If you need help training your employees to understand the benefit and necessity of computer security policy, or need help developing such a policy in the first place, Contact Us today and we'll be happy to help.