Policy alone is NOT enough. Without the proper technology, the strictest of security protocols are nothing more than unenforceable guidelines
Breach at Naval Intelligence Signals Glaring Weakness in Cyber Security and Data Management
Comments | Print friendly | Subscribe | Email Us
Over the past few weeks, news of a treasonous security breach at Naval Intelligence has dominated the headlines. In case you missed it - Canadian Navy intelligence officer, Sub-Lt. Jeffrey Paul Delisle, pleaded guilty last month to passing classified information to Russia.
Once again, we are witness to the inherent weakness in the federal government’s policies for securing its most precious resource: information.
The largest threat we face today is from a cyber attack or security breach that results in highly classified information ending up in the wrong hands. And as disturbing as Delisle’s actions are, equally troubling is the subsequent confusion on the handling of classified documents.
CBC News reported, “that electronic records detailing the planned overhaul of Canadian naval intelligence — created when admitted Russian spy Jeffrey Delisle was at the height of his treachery — were deleted from a National Defence database. But when the news agency asked why both the electronic and paper copies had been expunged, and whether that violated access-to-information law, the Navy eventually reversed itself and claimed some copies of the presentations had survived in email accounts of officers serving overseas.”
This latest incident not only represents the inherent dangers of current security and identity management policies, but also the technological inadequacy of the tools being used for data protection. And make no mistake, as more organizations – both government and private enterprise – store their data in digital files, cyber attacks will become increasingly frequent and sophisticated in how they gain access to those files.
The severity of this intelligence lapse forces us to wonder what it’s going to take for government agencies to prohibit data and information from being downloaded to any external laptop, tablet or encrypted USB memory stick where its vulnerable and unprotected by the security tools invested in and deployed behind the enterprise’s network perimeter.
I believe that the core elements of digital security risk focus on two primary issues:
- Are you properly authenticating a person, if you aren’t, how do you know that the right person was given access/entitlements to the digital assets, and;
- Are you in control of the digital asset? If data goes beyond the organization’s firewall, how do you ensure its integrity, and further, if you open up windows for the data to move outside of the firewall, are you creating additional vulnerabilities to your “fortress” for viruses/malware/cyber attacks?
The technologies presently used by a majority of government bodies are antiquated and do not reflect the evolution of today’s global environment. The rise in mobile computing and remote access to “secure” files has become the genesis for an alarming number of cyber attacks.
One Commonly Used Approach and Its Consequences
One commonly used approach to deliver remote access functionality is to combine two separate offerings together - a one-time password (“OTP”) token with a virtual private network (“VPN”). This approach addresses the need for remote access but fails to provide the necessary security.
OTP tokens offer a two-step authentication process and have generally been considered to be relatively secure; however, that perception is now being widely questioned. In March 2011, RSA (a provider of OTP tokens) disclosed an attack on its systems which resulted in information related to its SecurID being compromised, and which could potentially allow the attackers to gain access as if they were in possession of the tokens. Further in June 2012, a research report was published which highlighted additional vulnerabilities with the SecurID and other OTP tokens and smartcard implementations, entitled “Efficient Padding Oracle Attacks on Cryptographic Hardware”.
A VPN solution provides network access to a remote PC through software previously downloaded onto that PC. If unauthorized access is gained to the computer, or if the computer is lost or stolen, the network then becomes an easy target for cyber attacks. Because data and other network information are transmitted beyond enterprise firewalls through the Internet, man-in-the-middle and malware attacks are also possible.
VPN solutions require hardware, software and IT resources to deploy and maintain. The cost and complexity can be significant. Because these solutions offer only single-factor authentication, many organizations add OTP tokens to create two-factor authentication, creating further cost and complexity for them and their users.
For any remote access technology to be effective, it must operate on the principle of assuring the identity of an individual, not a PC, tablet, smartphone or other computing apparatus.
Using technology that supports proper data entitlement policies is the most powerful way to mitigate risks. And only by requiring all data and internal files remain within an organization’s confines can we protect against unauthorized access.
We must hope for a universal paradigm shift in how the Armed Forces and other branches of government address cyber security going forward. Identity management, multi-factor authentication and data entitlement must be the foundation of any future efforts.
Policy alone is NOT enough. Without the proper technology, the strictest of security protocols are nothing more than unenforceable guidelines.
There can be no ambiguity; nothing less than our national security is at stake.
Tony Busseri is CEO of Route1, a security and identity management company. Route1 solutions empower organizations, such as the Office of the Privacy Commissioner of Canada, the U.S. Department of Defense and Department of Homeland Security, with the tools to ensure secure remote user access, identity assurance and multifactor authentication, as well as to maintain the integrity of their critical data.