Using USB devices on base computers big no-no

  • Published
  • By Staff Sgt. Luther Mitchell Jr.
  • 56th Fighter Wing Public Affairs
LUKE AIR FORCE BASE, Ariz. --  The first thing that pops up after logging onto a government computer is a message: "Effective immediately, the following removable flash media are unauthorized on all Department of Defense information systems until further notice: memory sticks, thumb drives and camera flash memory cards."

Many people may not read this message and click through the pop-ups until reaching their desktop screen. But, not heeding this message could be costly, as plugging in unauthorized devices can not only damage Air Force networks, they can also damage one's career.

"The current policy is a universal serial bus, or flash drive device, has to be approved by an information assurance officer," said Tech Sgt. Jeffery Carroll, 56th Communications Squadron NCO-in-charge of information assurance. "USB devices on the SIPRNet and NIPRNet have to be approved by an IAO and routed to the appropriate agencies for approval. Those users then will be loaded into a program that will recognize them as authorized users."

Flash media is banned and the only device authorized for use is an external spinning hard drive. Solid-state disk drives aren't allowed and are still considered flash media.

Flash media includes: USB flash drives, eReaders, digital cameras, MP3 players, smartphones, personal digital assistants, flash media cards, solid state hard-drives and wireless network air-cards.

The 561st Network Operations Squadron at Peterson Air Force Base, Colo., constantly scans the Air Force network for USB violations.

"Results are provided once a week to the 56th Fighter Wing Information Assurance Office in a report that lists the time, computer name, user name, item and IP address of the USB violation," said Steven Bryan, 56th CS communications security manager. "The WIAO tracks down the violator, disables the user's account, confiscates the violator's computer until a complete and thorough virus scan can be accomplished and the user's unit commander is notified."

The journey back into the good graces of the network gods is long and hard and involves additional training and lost man-hours.

"The violator must retake DOD cyber awareness training before being allowed access to the network," Bryan said. "The overall process can take several days to complete, resulting in non-productive time for the violator and those involved in the overall detection process."

The rules are clear: USB flash drive devices are not authorized to be connected to government computers and with good reason.

"Malicious code can be stored on a device straight from the factory and USB devices can easily introduce viruses into a computer network," Bryan said.

Additionally, USB flash drive devices pose a risk of loss and theft, and caution should be exercised when using them.

"People shouldn't be loading any personal identifiable information on external drives," Carroll said.

The Air Force's USB flash drive policy has been in effect since February 2009. Nevertheless, individuals continue to plug unapproved devices into government computers daily. If a device isn't properly labeled, it shouldn't be connected to a government computer or printer.

"Approved devices should be properly marked and labeled," Bryan said. "Unclassified devices must be marked with SF-710, SF-711, and a label stating the device must be scanned for viruses before use."

For more information, call the unit information assurance officer.