Removable Storage and External Connections STIG Version Comparison
Removable Storage and External Connections Security Technical Implementation Guide
Comparison
There are 5 differences between versions v1 r5 (April 28, 2017) (the "left" version) and v1 r7 (Oct. 27, 2017) (the "right" version).
Check STO-DRV-010 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.
Check Content
Interview Further policy details: In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase. Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features. A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. Thus, it is imperative that organizations use thumb drives which are on the DAR contract. The following DoD policies apply to access control solutions for all USB storage devices. - Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not madated. - For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use. - Password and/or key management procedures will be established for systems storing mission-critical information. Check procedure: Interview the site representative and perform the following procedures. 1. Inspect a sampling of the different types of USB storage devices used. 2. used. 2. Verify that a password or PIN is required to gain access to the data stored on the USB device by attempting access. Mark access. If as a password, finding if a PIN PIN, or password passphrase are not set. required to gain access to the data stored on the USB device, this is a finding.
Discussion
If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN. Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals. individuals. Further policy details: In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase. Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features. A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. The following DoD policies apply to access control solutions for all USB storage devices. - Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not mandated. - For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use. - Password and/or key management procedures will be established for systems storing mission-critical information.
Fix
Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.