Taking Heed to NSA's Assumption on Security Breaches Is Sound First Step

By Wayne Rash  |  Posted 2010-12-17

Taking Heed to NSA's Assumption on Security Breaches Is Sound First Step

When Deborah Plunkett, the head of the National Security Agency's Information Assurance Directorate, said at a security conference that systems must be built with the assumption that adversaries will get in, her statement wasn't exactly a revelation. True security is multilayered, and it's designed from the top down to assume that there will be breaches. The goal is to minimize those breaches and to figure out who is doing them and where they're coming from. 

A failure to compartmentalize highly sensitive information led directly to the current WikiLeaks scandal that has embarrassed the U.S. State Department and the U.S. Army. PFC Bradley Manning was able to gain access to the sensitive State Department messages because the entire secure messaging system was open to anyone who could gain physical access to the secure network. No attempt was made to limit access by individuals to what they actually needed to do their jobs. It was just an open bucket of secrets waiting to be harvested. 

Now, I'm pretty sure that the NSA doesn't have any Bradley Mannings around waiting to copy some more secrets onto their Lady Gaga CD. But the point that Ms. Plunkett was making is that you have to be prepared for the eventuality that there could be someone that has been given access to a secure system that should not have such access. 

Even in a system with intrusion prevention and good security monitoring, it's unlikely that Manning would have been detected while he copied those messages. He was, after all, an authorized user. And the military and the State Department were trying an information sharing process that was designed to allow access to important information without requiring that there be a formal request process-something that could take weeks, given the normal speed of the federal government. 

In the case of the information sharing effort, the biggest mistake the State Department made was in allowing anyone with the proper security clearance to have access to the information. But this is likely one of the problems that Plunkett was referring to when she said that you have to assume that your security will be breached. Once you assume that this is the case, you have to design your security so that just because you've breached the network, that doesn't mean you're achieved access to anything except one set of limited data.

To make this work, you have to compartmentalize your network security system. Each user who requests access to a particular section of a secure system must be cleared for that specific system. In the case of PFC Manning, there was no rational reason for him to have access to messages regarding Russia, for example. He was at a forward operating base in Iraq. 

The Price of Security Is Constant Vigilance


You have to assume that portions of your computing environment aren't safe, as Plunkett says. This means that your Windows computers have the same vulnerabilities as other Windows computers. Although you can be sure that the Windows machines at the NSA are a LOT more locked down than the machine on your desk, there is still an element of risk-that unknown vulnerability that first shows up when someone uses it to gain access to the NSA. 

Since you can't completely trust your infrastructure, what do you do? You make the infrastructure as safe as you can and then you use multiple technologies to keep any breach contained. You also track every access or attempted access to sensitive data so you can go back and reconstruct the breach if it happens. To do this, you need all of those old standbys-encryption, active security management, audits and the like. They may be old technology, but they can still work. 

In reality, most companies with sensitive information should be making these same assumptions. If you have customer credit card numbers, for example, you need to have them stored somewhere else besides your public-facing Web server. If you have your accounting data or medical information or anything else that might be of value to your competition or to someone who can sell what you have, then you can't just assume that you're secure. You need to have the access controls, the vulnerability testing and all of the other security tools you can find. 

And then you need to be vigilant. If PFC Manning's supervisors had decided to check on what he was doing with a CD in a secure computer (which isn't supposed to have a removable media drive), they would have short circuited that data breach. While your data may not be as sensational as those State Department messages, I'd be willing to speculate that your information is a lot more important to you. While WikiLeaks may be interesting to watch on the news, seeing a news story that your company has just lost 50,000 credit card numbers will certainly seize your attention-it could mean the survival of your business.

So the bottom line is to pay close attention to Plunkett's assertion that your systems are probably not secure, and find a way to adjust your way of doing business so that an intruder doesn't cost you everything.

Rocket Fuel