funsec mailing list archives
Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack]
From: Valdis.Kletnieks () vt edu
Date: Thu, 20 Nov 2008 23:15:45 -0500
On Thu, 20 Nov 2008 21:19:52 EST, Jon Kibler said:
2) About the article: No organization that has ANY interest in security should allow ANY type of removable media on ANY system. No hard drives, no CD/DVD players or burners, no thumb drives, no MP3 players, etc. To allow removable media and/or devices introduces two serious risks: a) data exfiltration, and b) malware infections. The DoD has never allowed removable media on any classified network, and I was under the impression that the same policy applied to unclassified networks as well.
I was under the impression that at some of the nuclear weapons research sites, *all* media was removable, so that when you were done working with it, it was possible to unplug/remove the drive and put it back in the safe. And in fact, Los Alamos got raked over the coals recently when they had to admit that some of the drives didn't make it back into the safe. I'm looking at DoD 5220.22-M (Feb 2006 version), and I see on page 8-3-1: "C. Applicability of Logon Authentication. In some cases, it may not be necessary to use IS security controls as logon authenticators. In the case of stand alone workstations, or small local area networks, physical security controls and personnel security controls may suffice. For example, if the following conditions are met, it may not be necessary for the IS to have a logon and password: (1) The workstation does not have a permanent (internal) hard drive, and the removable hard drive and other associated storage media are stored in an approved security container when not in use." Hmm... so that's saying that a workstation can be on a (presumably) classified network, and *NOT EVEN NEED A FRIKKING PASSWORD*, if it has *ONLY* removable media (and a few other requirements I didn't quote). Of course, 5220.22-M is the set of rules that applies to DoD *contractors* - if you have a pointer to a *different* rule that applies directly to DoD networks, feel free to share.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] Jon Kibler (Nov 20)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] Rich Kulawiec (Nov 20)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] John Bambenek (Nov 20)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] freed0 (Nov 20)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] Valdis . Kletnieks (Nov 20)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] Jon Kibler (Nov 21)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] Valdis . Kletnieks (Nov 21)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] Jon Kibler (Nov 21)
- Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack] Rich Kulawiec (Nov 20)