500+ Incidents a Day: State Department's Cybersecurity Siege Against USBs
The U.S. State Department's cybersecurity software detects, on average, more than 500 incidents of unauthorized devices trying to connect to its protected systems every day.
That figure is calculated from a new State Department Inspector General (IG) report (PDF) that says from October 2015 to January 2017, malware protection software detected more than 250,000 incidents "where someone attempted to use unapproved USBs" on the State Department's "sensitive but unclassified" OpenNet network at a bureau or post somewhere in the world.
The malware protection software, made by the U.S.-based cybersecurity firm Symantec, denies the devices access to avoid breaches. But the IG reported it was concerned that "inadequate controls" over the "Master List" of approved and unapproved portable devices, like USB drives, "increases the risk of data loss and the introduction of malware."
The report suggests that in a vast majority of cases, unauthorized devices are not being sneaked in by foreign spies or anything so nefarious, but rather are simply used by some of the tens of thousands of State Department personnel around the world without knowing, or maybe caring, that the devices are unauthorized. The huge number of incidents is also indicative of the vast number of individuals and devices the State Department is trying desperately to keep in line when it comes to cyber threats.
Outside of the automatic software detection, the IG report noted 48 times State Department personnel apparently reported the use of unapproved or unauthorized devices on foreign State Department bureau or post networks during the same time period. The IG investigated a handful of these and described two incidents in more detail:
One of the two incidents occurred at Consulate Mumbai, India, when a smart phone being charged in a user workstation was visually identified.
The second incident occurred at a Bureau of Consular Affairs’ office, when an IPod was found to have been connected to the system.
The incidents seem rather innocuous, but cybersecurity experts have long warned that a single device, loaded with the right sophisticated malware, could compromise an entire system if plugged in (or even not plugged in, if the adversary is getting really fancy).
In the end, the IG made several recommendations to clean up and reguarly update the Master List of authorized and unauthorized devices and to provide greater guidance to analysts when reviewing the incidents in question. The State Department's Bureau of Information Resource Management (IRM), which works with the Bureau of Diplomatic Security to keep the department's networks safe, concurred with almost all of them.
[Do you have a tip or question for Code and Dagger? Reach us at CodeAndDagger@protonmail.com. And if you like what you read and want to help keep the site running (kind of) smoothly, click here to learn how you can support the site. ]
Primary Source: State Department OIG Report on Unapproved Portable Devices (PDF)