Breach at Naval Intelligence Signals Glaring Weakness in Cyber Security and Data Management

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.canadafreepress.com/index.php/article/51719

Over the past few weeks, news of a treasonous security breach at Naval
Intelligence has dominated the headlines.  In case you missed it -
Canadian Navy intelligence officer, Sub-Lt. Jeffrey Paul Delisle,
pleaded guilty last month to passing classified information to Russia.

Once again, we are witness to the inherent weakness in the federal
government’s policies for securing its most precious resource:
information.

The largest threat we face today is from a cyber attack or security
breach that results in highly classified information ending up in the
wrong hands. And as disturbing as Delisle’s actions are, equally
troubling is the subsequent confusion on the handling of classified
documents.

CBC News reported, “that electronic records detailing the planned
overhaul of Canadian naval intelligence — created when admitted
Russian spy Jeffrey Delisle was at the height of his treachery — were
deleted from a National Defence database.  But when the news agency
asked why both the electronic and paper copies had been expunged, and
whether that violated access-to-information law, the Navy eventually
reversed itself and claimed some copies of the presentations had
survived in email accounts of officers serving overseas.”

This latest incident not only represents the inherent dangers of
current security and identity management policies, but also the
technological inadequacy of the tools being used for data protection.
And make no mistake, as more organizations – both government and
private enterprise – store their data in digital files, cyber attacks
will become increasingly frequent and sophisticated in how they gain
access to those files.

The severity of this intelligence lapse forces us to wonder what it’s
going to take for government agencies to prohibit data and information
from being downloaded to any external laptop, tablet or encrypted USB
memory stick where its vulnerable and unprotected by the security
tools invested in and deployed behind the enterprise’s network
perimeter.

I believe that the core elements of digital security risk focus on two
primary issues:

Are you properly authenticating a person, if you aren’t, how do you
know that the right person was given access/entitlements to the
digital assets, and;
Are you in control of the digital asset?  If data goes beyond the
organization’s firewall, how do you ensure its integrity, and further,
if you open up windows for the data to move outside of the firewall,
are you creating additional vulnerabilities to your “fortress” for
viruses/malware/cyber attacks?

The technologies presently used by a majority of government bodies are
antiquated and do not reflect the evolution of today’s global
environment. The rise in mobile computing and remote access to
“secure” files has become the genesis for an alarming number of cyber
attacks.

One Commonly Used Approach and Its Consequences

One commonly used approach to deliver remote access functionality is
to combine two separate offerings together - a one-time password
(“OTP”) token with a virtual private network (“VPN”).  This approach
addresses the need for remote access but fails to provide the
necessary security.

OTP tokens offer a two-step authentication process and have generally
been considered to be relatively secure; however, that perception is
now being widely questioned.  In March 2011, RSA (a provider of OTP
tokens) disclosed an attack on its systems which resulted in
information related to its SecurID being compromised, and which could
potentially allow the attackers to gain access as if they were in
possession of the tokens.  Further in June 2012, a research report was
published which highlighted additional vulnerabilities with the
SecurID and other OTP tokens and smartcard implementations, entitled
“Efficient Padding Oracle Attacks on Cryptographic Hardware”.

A VPN solution provides network access to a remote PC through software
previously downloaded onto that PC.  If unauthorized access is gained
to the computer, or if the computer is lost or stolen, the network
then becomes an easy target for cyber attacks.  Because data and other
network information are transmitted beyond enterprise firewalls
through the Internet, man-in-the-middle and malware attacks are also
possible.

VPN solutions require hardware, software and IT resources to deploy
and maintain.  The cost and complexity can be significant.  Because
these solutions offer only single-factor authentication, many
organizations add OTP tokens to create two-factor authentication,
creating further cost and complexity for them and their users.

For any remote access technology to be effective, it must operate on
the principle of assuring the identity of an individual, not a PC,
tablet, smartphone or other computing apparatus.

Using technology that supports proper data entitlement policies is the
most powerful way to mitigate risks.  And only by requiring all data
and internal files remain within an organization’s confines can we
protect against unauthorized access.

We must hope for a universal paradigm shift in how the Armed Forces
and other branches of government address cyber security going forward.
Identity management, multi-factor authentication and data entitlement
must be the foundation of any future efforts.

Policy alone is NOT enough. Without the proper technology, the
strictest of security protocols are nothing more than unenforceable
guidelines.

There can be no ambiguity; nothing less than our national security is at stake.

Tony Busseri is CEO of Route1, a security and identity management
company. Route1 solutions empower organizations, such as the Office of
the Privacy Commissioner of Canada, the U.S. Department of Defense and
Department of Homeland Security, with the tools to ensure secure
remote user access, identity assurance and multifactor authentication,
as well as to maintain the integrity of their critical data.

Items of notes and interest from the web.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.