The U.S. Department of Defense Cyber Command recently issued an announcement that was somewhat attention-getting:
"An infected flash drive inserted into a Defense Department computer in 2008 caused 'a significant compromise' of the department's classified computer networks and was a 'wake-up call' for Pentagon officials to expedite cyberdefense measures, the deputy secretary of defense revealed ..."
Outlined in a column in Foreign Affairs Magazine, Deputy Secretary of Defense William J. Lynn III said a foreign security agent uploaded the malicious code into a U.S. military laptop via USB drive and caused extreme chaos in the process.
"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," Lynn wrote. "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."
So if the U.S. military can leave itself exposed, and wind up attacked in such a major way by someone with evil intentions, what hope is there for the rest of us?
The episode underscores the high-stakes war that rages inside many enterprises -- both public and private -- and how resellers and solution providers are caught in the crossfire.
There are tools to lock down networks -- a great USB security solution, Zecurion's Z-Lock, was reviewed by the CRN Test Center earlier this year and can work to prevent similar attacks on most enterprises. But it seems that the potential vulnerabilities are growing faster than the protections.
Best practices are largely the same for everyone when it comes to security: deploying appropriate end-point security (including drive-locking technology, if necessary), firewalls, management, antivirus, anti-DDoS technology, as well as physical protection of data centers, common-sense hiring, partnering and collaboration rules and regular patching regimes. Constant monitoring, testing and check-listing of security solutions and practices are also necessary.
We're beginning to believe that an additional entry into the best-practice list -- third-party, outside auditing of the soup-to-nuts security architecture and deployment -- will need to be included sooner rather than later as another measure of protection. VARs with successful security practices may already be branching into the independent auditing space; if not, it is worth significant consideration.
During World War II, the adage was, "Loose Lips Sink Ships," as the government feared our national secrets would fall into the hands of enemies with even the most casual of dialogues. Today it may take only a loose USB drive to do the same thing. Channel security experts could very well be the ones who keep those loose lips and loose flash drives zipped up before the war is lost.
E-mail Ed Moltzen at Edward.firstname.lastname@example.org