DND IT takes a great leap forward
- Thread starter AmmoTech90
- Start date
- Reaction score
- 0
- Points
- 210
Let's be clear here, no personal USB sticks are permitted on DND networks, no matter how "well scrubbed" they are.
The reason for this is simple, DND is not so much concerned with things getting on its networks, but they are much more concerned with things getting off the network.
This is why can always use things on a higher level network, you just can't ever use it on a lower level network.
Any help desk that says otherwise is misinformed.
The reason for this is simple, DND is not so much concerned with things getting on its networks, but they are much more concerned with things getting off the network.
This is why can always use things on a higher level network, you just can't ever use it on a lower level network.
Any help desk that says otherwise is misinformed.
So Rado,
Are you indirectly stating that no DND USB stick can be used on a non-DND computer? Otherwise it would be just as easy to take things off the network on DND USB and then transfer to civilian computer. If this is the case how do people work at home on PERs?
Are you indirectly stating that no DND USB stick can be used on a non-DND computer? Otherwise it would be just as easy to take things off the network on DND USB and then transfer to civilian computer. If this is the case how do people work at home on PERs?
- Reaction score
- 2,849
- Points
- 940
Help Desk speaks only to Monitor MASS.....and he's never misinformed; he is Zuul -- bureaucratic demigod and minion ofRADOPSIGOPACISSOP said:
- Reaction score
- 0
- Points
- 210
Simian Turner said:
DND USB sticks are not supposed to be used on non-DND machines. Any time that a DND USB stick was used on a non-DWAN computer it needs to be scrubbed. For PERs we loaned out standalone laptops for pers that didn't have a DVPNI laptop issued. Failing that, the advice was to used e-mail to send draft text, provided that it was appropriately scrubbed of all personal identifying information as per the CFPAS guidelines.
- Reaction score
- 6,079
- Points
- 1,160
D3 said:
Rightly or wrongly, once again, this type of policy works only for those that spend all their time in some cubicle somewhere or someone, usually a siggie, that has all kinds of access to spare IT equipment.
Most people in the CAF don't inhabit cubicles, many have no choice but to take their work home and do it there.
Then there's the Reserves, who also have to produce PER and PDRs. Ever try borrow a laptop from a Reserve unit?
Or attempt to do all your PERs on a shared desktop that takes 45 minutes on a three hour parade night to change user profiles?Rightly or wrongly, people have to use workarounds in order to do a simple aspect of their job.
I'm not defending breaking the rules, I'm saying in a lot of cases, there's no other choice and remain proficient.
- Reaction score
- 27,506
- Points
- 1,090
D3 said:
unfortunately, the overwhelming majority of Reserve units have nowhere near enough computers for this to work. Sending draft text by email assumes regular access to a DWAN computer, which doesn't happen. So the COAs get built on "Which instruction am I going to ignore - IT security, or production of PERs?"
- Reaction score
- 0
- Points
- 210
Scrubbers are the old school name they are now known as Trusted Transfer Stations (TTS) (or at least this week they are) to take work home the proper way according to our Base ISSO is to;
transfer file on DWAN system to appropriate issued DWAN USB stick
transfer file on DWAN USB stick to file (desktop) of the TTS
scan file using updated AV software on the TTS
transfer file from TTS to personal USB stick
take file home work on return to work
transfer file from personal USB stick to file (desktop) of the TTS
scan with updated AV software on the TTS
transfer file from TTS to the appropriate DWAN USB stick
transfer file from the DWAN USB stick to the DWAN system
ensure that any files being transferred do not remain on the TTS by cut and paste vice copy and paste
As the TTS is not connected to any network, AV on the TTS is kept updated by local user, IT Rep or local tech, scanning software update file is usually obtained from local IT personnel or on a shared drive from the DWAN system using burnt CD or DWAN USB stick.
Use of unauthorized USB sticks on DWAN systems can result in locking of the user account.
transfer file on DWAN system to appropriate issued DWAN USB stick
transfer file on DWAN USB stick to file (desktop) of the TTS
scan file using updated AV software on the TTS
transfer file from TTS to personal USB stick
take file home work on return to work
transfer file from personal USB stick to file (desktop) of the TTS
scan with updated AV software on the TTS
transfer file from TTS to the appropriate DWAN USB stick
transfer file from the DWAN USB stick to the DWAN system
ensure that any files being transferred do not remain on the TTS by cut and paste vice copy and paste
As the TTS is not connected to any network, AV on the TTS is kept updated by local user, IT Rep or local tech, scanning software update file is usually obtained from local IT personnel or on a shared drive from the DWAN system using burnt CD or DWAN USB stick.
Use of unauthorized USB sticks on DWAN systems can result in locking of the user account.
- Reaction score
- 3
- Points
- 430
I think that someone needs to go back in time and kick Bill Gates in the nuts.
Maybe even go back earlier than that and find Mr. Turing and explain the realities of 21st century computing.
Technology will be the downfall of civilization. The Luddites will rule.
Maybe even go back earlier than that and find Mr. Turing and explain the realities of 21st century computing.
Technology will be the downfall of civilization. The Luddites will rule.
- Reaction score
- 3
- Points
- 410
Yup, I'd have to agree with Gizmo 421.
Whether it is an issued stick or a personal stick, once it has been used on a "non-DWAN" system, it must be scanned or processed through the "stand-alone" system or TTS, prior to going on to any "live" DWAN.
And they use "sniffers", so keep it strictly to work related issues!
Whether it is an issued stick or a personal stick, once it has been used on a "non-DWAN" system, it must be scanned or processed through the "stand-alone" system or TTS, prior to going on to any "live" DWAN.
And they use "sniffers", so keep it strictly to work related issues!
- Reaction score
- 27,506
- Points
- 1,090
Bill Gates is not the problem.
DND's IT infrastrucutre, designed for people with regular access to said infrastructure, is the problem.
Most Army reserve units are lucky to have a 10:1 ratio of pers to computers; and all need access at the same time. That math doesn't work (especially when a simple user change can take over half an hour - can't run many people through when you've got a 4 hour window available), and results in people using work arounds that the IT security gods abhor, but meet the operational requirement.
Thus, yes, I've seen USB sticks moved between DND and non-DND systems. And documents sent out to non @forces.gc.ca email addresses. And any other number of actions taken to keep the machine creaking away because the IM/IT rules were drafted without any understanding of the user situation and reality.
DND's IT infrastrucutre, designed for people with regular access to said infrastructure, is the problem.
Most Army reserve units are lucky to have a 10:1 ratio of pers to computers; and all need access at the same time. That math doesn't work (especially when a simple user change can take over half an hour - can't run many people through when you've got a 4 hour window available), and results in people using work arounds that the IT security gods abhor, but meet the operational requirement.
Thus, yes, I've seen USB sticks moved between DND and non-DND systems. And documents sent out to non @forces.gc.ca email addresses. And any other number of actions taken to keep the machine creaking away because the IM/IT rules were drafted without any understanding of the user situation and reality.
Eye In The Sky
Army.ca Legend
- Reaction score
- 3,780
- Points
- 1,160
RADOPSIGOPACISSOP said:
Groovy. What about the "burn it to a CD" stuff. This "lock down USB sticks!" stuff is like locking your door while leaving the front window wide open.
I am not even sure what that first part means ???
George Wallace
Army.ca Dinosaur
- Reaction score
- 184
- Points
- 710
Eye In The Sky said:
It means that if you use it on a Secure Network, you can no longer use it on DWAN or any other unsecure Intranet or Internet.
- Reaction score
- 1,724
- Points
- 1,140
USB keys are a very efficient way for viruses and malware to spread themselve on a network. It's not about DWAN material finding its way to non-DWAN computers. The protection and handling of the information is the responsibility of the users.
I try to avoid USB keys as much as possible. For unprotected/unclassified files, I'll either email them to a civy account or burn them to a CD. Not as much chance of introducing viruses this way.
I try to avoid USB keys as much as possible. For unprotected/unclassified files, I'll either email them to a civy account or burn them to a CD. Not as much chance of introducing viruses this way.
- Reaction score
- 35
- Points
- 560
Of course this problem had been recognized and solved by at least 2004 or 05 that I know of.
There are a multitude of programs out there now that can "white list/black list" equipment that accesses the USB ports of your computer. A fresh, issue memory stick can even be "stamped" with a serial number and "hashed" so it can always be identified on the system, and also becomes encrypted so no other system can read it (go ahead, take it home....). Black listed equipment will simply be rejected by the system you try to access (and of course warnings and alerts can be sent to the network administrator as well).
But that would be a pretty simple and straightforward fix for a security problem....
There are a multitude of programs out there now that can "white list/black list" equipment that accesses the USB ports of your computer. A fresh, issue memory stick can even be "stamped" with a serial number and "hashed" so it can always be identified on the system, and also becomes encrypted so no other system can read it (go ahead, take it home....). Black listed equipment will simply be rejected by the system you try to access (and of course warnings and alerts can be sent to the network administrator as well).
But that would be a pretty simple and straightforward fix for a security problem....
Eye In The Sky
Army.ca Legend
- Reaction score
- 3,780
- Points
- 1,160
George Wallace said:
Ahhhh, so much easier to understand in one of our official languages! ;D
Colin Parkinson
Army.ca Myth
- Reaction score
- 11,929
- Points
- 1,160
George Wallace said:
I actually found E-vault a useful tool, if you have not accessed an e-mail within 2 years it gets deleted, a fair balance. Now that they have E-vault running nicely, they are going to do away with it.
