[ISN] Justice IG report: Protect laptop data

[InfoSec News]

http://www.fcw.com/article91061-10-10-05-Web

By Michael Arnone
Oct. 10, 2005 

Justice Department field agents and analysts are keeping classified 
information secure by using their wits and their training - and by 
carrying two laptop computers each. One is strictly for processing 
classified data. The other is for handling unclassified data and using 
unclassified applications, such as word processors and Web browsers. 

Justice employees use the decades-old setup to prevent the accidental 
shift of classified information to an unclassified environment or the 
Internet. It works, but it's bulky and inconvenient. 

Justice's Office of the Inspector General investigated how the 
department uses laptops to process classified information. At the 
suggestion of the department's information technology and security 
staff, the IG also evaluated governmentwide policy on IT security 
certification for all computer systems.

Justice increasingly relies on laptops to process classified 
information. But the department's rules governing those resources do 
not encourage "innovative practices to improve the use of portable 
computers for processing classified information while adequately 
safeguarding classified information," the IG's office concluded in a 
July report.

The report states that Justice's chief information officer should 
alter Standard 1.6, which dictates the departmentwide IT security 
management controls for all desktop and laptop computers that handle 
classified information. The IG said the rules should allow the 
creation of new, accredited computer configurations that permit the 
introduction of security-enhancing safeguards. 

Some of the recommendations the report suggests aren't new, such as 
encrypting data and limiting the data kept on classified hard drives. 
But others would be new for Justice, including the use of small 
removable hard drives.

"The use of removable hard drives that can process both unclassified 
and classified information in the same computer shell is an area that 
the department should consider," the report states. Justice should 
consider authorizing the use of removable hard drives and developing 
appropriate security policies for them, it adds.

Justice organizations are open to the idea of using removable hard 
drives, but some worry that employees might not always follow security 
procedures. IT security experts don't agree on whether the 
recommendations would help or damage the security of Justice's 
classified information. 


A pocket-sized solution

The policy recommendation on removable hard drives is the IG's 
principal improvement to Justice's management of classified 
information on laptops. Measuring roughly 2 inches by 3 inches, each 
drive weighs about 2 ounces and fits into the Type II PC card slots 
found on most laptops. 

Justice's IG consulted the CIA, the National Security Agency, the 
Defense Department's National Reconnaissance Office and the Energy 
Department about their policies on removable hard drives. The first 
three agencies use laptops with two removable hard drives, one each 
for classified and unclassified information. 

NSA officials told the IG's office that a computer's shell does not 
retain data once users remove the hard drive, adding that no data 
remains in the computer's RAM when users turn the machine off. Thus, 
Standard 1.6 should state that the shell of the computer becomes 
unclassified when someone removes the classified hard drive, according 
to the report. 

In addition to halving the number of laptops that Justice employees 
must carry to handle classified information, removable hard drives 
would provide a number of benefits, the report states. For example, 
storing classified data would be easier. 

Justice policies require computers that handle classified data to be 
double-wrapped in paper to show tampering, the report states. Users 
must unhook all peripheral devices and place the computer in a 
specially designed, secure container when they are not using the 
computers. All devices that could possibly store classified 
information must have warning labels on them stating so.

If the department used removable hard drives, only the drives would 
have to be double-wrapped instead of the whole laptop. That 
arrangement would improve security, the IG's office said, because the 
small drives are easier to secure and are less conspicuous than 
textbook-sized laptops.

Removable hard drives would also save Justice money because the drives 
are cheaper than new computers, according to the report. The IG's 
office shopped for 5G drives and found at least two manufacturers that 
sell models for less than $200. The drives could hold a multiuser 
operating system, application software and 4.1G of memory. 

For roughly $400 per user, the report states, "this computer 
configuration would allow both unclassified and classified information 
processing on the same computer." 


Mixed opinions 

The IG office asked three Justice organizations — the Drug Enforcement 
Administration, the FBI and the Executive Office for U.S. Attorneys 
(EOUSA) — whether they authorize their employees to use separate hard 
drives, and if not, whether they would consider doing so. 

None of those agencies authorizes the use of removable hard drives, 
the report states. The FBI said the idea has merit, but it would have 
to evaluate the specifics through the certification and accreditation 
process. EOUSA expressed interest in pursuing the idea as long as 
employees understood the security requirements. The DEA had a mixed 
reaction, saying that the idea could save money, but the risk of 
failing to switch hard drives when necessary could outweigh those 
benefits. 

Paul Martin, Justice's deputy IG, said the report speaks for itself 
and declined to comment.

IT security experts have mixed opinions about the IG's 
recommendations. Bruce Schneier, chief technology officer at 
Counterpane Internet Security, said the report was well-conceived. He 
liked the idea of removable hard drives and the suggestion to install 
tracking devices in laptops to help find lost and stolen computers.

Peter Lindstrom, research director at Spire Security, had more 
reservations about the report's implications. "I don't see a clear 
positive or negative impact on security at all, but it seems to have a 
pretty positive impact on costs - and on [Justice employees'] 
shoulders as well because they only have to carry one laptop," he 
said.

Schneier and Lindstrom said they were amazed that Justice had not 
already made such changes. Lindstrom said he was disappointed that 
Justice didn't think of the idea on its own.

The department is starting to understand that its employees need to do 
both classified and unclassified work on their computers, Schneier 
said. But if those recommendations are an improvement, he added, "it 
must be an absolute mess out there."


Frying pan to fire?

Lindstrom and Schneier disagree on whether removable hard drives 
present a definite security improvement or add as many problems as 
they solve. 

Because it's so easy to make a mistake, "maintaining two sets of 
policies, switching back and forth, is a losing proposition over 
time," Lindstrom said. "I'm not sure that a user in the normal course 
of business would shift back and forth between their behavior around 
classified and unclassified information. You're better off configuring 
the system to force that behavior." 

Schneier disagreed, saying a hardware solution is the best solution 
because hardware is more reliably secure than software. That's why 
Justice's current system of securing and storing classified 
information has worked so well for decades, he said. 

"The best way to make sure classified information doesn't get taken 
out of the building is not to take it out of the building" and keep it 
locked in a safe when not in use, Schneier said.

Schneier said running two removable hard drives with separate 
operating systems and applications on the same computer shell is a 
great idea, especially if Justice follows the IG's suggestion to bar 
access to unclassified information and the Internet while the 
classified drive is in use. 

"That's the best separation you can do," Schneier said. "You might as 
well share a screen, keyboard and CPU." 

Schneier said he wondered whether laptops enabled for such 
configurations are available and how much they cost. He could see 
Justice's proposed practices spreading to DOD and other countries.

On the other hand, Lindstrom isn't sold on the idea of two hard 
drives. To make the system work, Justice would presumably have to buy 
laptops that don't have hard drives, he said. That would force users 
to use the security settings on each removable drive. But if the 
removable drives supplemented the laptop's drive, users could 
accidentally transfer classified information to the unprotected drive, 
he said. 

"As soon as you mount drives at the same time, the fact that they are 
physical devices doesn't matter anymore" because the two are logically 
connected, Lindstrom said. That gives attackers ways to crack the 
unclassified applications to access the classified drive. 

Logical security is the best way to protect data, Lindstrom said. 
Justice could encrypt all data and set up a host intrusion- prevention 
system and digital rights management system, he said. Instead of 
worrying about where to put data, the department should protect its 
data regardless of its location, Lindstrom said. 

By using only one hard drive with adequate security protections, 
Lindstrom said, Justice could potentially save even more money by not 
implementing the IG's recommendations.

[1] http://www.usdoj.gov/oig/reports/plus/a0532/final.pdf


-=-


8 ways to improve security 

The Justice Department's inspector general has suggested the following 
eight changes for improving the security of laptop PCs that process 
classified information.

1. Alter Standard 1.6 - the departmentwide security management 
   controls for all desktop and laptop machines that store, process or 
   transmit national security information - to allow the creation of 
   new accredited computer configurations that permit the introduction 
   of security-enhancing safeguards.

2. Consider using removable hard drives and define them as 
   classifiable devices rather than the computer shell on which users 
   process data. Justice should create appropriate security policies 
   for them. 

3. Modify user profiles to forbid access to unclassified hard drives 
   and the Internet when using a classified drive. 

4. Change Standard 1.6 to support mandatory encryption of classified 
   data. 

5. Keep only a minimal amount of classified data on hard drives, in 
   accordance with National Security Agency practices. 

6. Develop a warning system to alert systems administrators if a 
   computer processing classified information connects to the 
   Internet.

7. Install tracking devices in laptop PCs to more easily locate lost 
   or stolen computers. 

8. Create new labels for computers that process both classified and 
   unclassified data.

- Michael Arnone