Page 58 - index
P. 58
For starters, the concept of islands-of-security needs to implemented. Where possible, different
segments of an organization and different systems should not be connected and treated
independently. For example, the marketing and sales database should be on a different
computer than the financial database. A different login would be required for each database and
system administrator responsibilities should be given to different individuals within
the organization. When the two systems need to communicate with each other, they both should
require separate accounts and the data exchanged between them should be encrypted.
Separating the duties of IT professionals is needed. No longer should the Chief Security Officer
(CSO) report to the Chief Information Officer (CIO). This allows the CIO and many of her
subordinates overlapping and controlling responsibilities. Both officers report directly to the
Chief Executive Officer (CEO) reduces the threat of this vulnerability from being exploited.
Senior managers need to set a policy to disallow unauthorized copying of data. Mobile phones,
cameras, USB devices, CD’s and DVD’s should be prohibited from entering or leaving
the site. To enforce this, all access points should use metal detectors and radio frequencies
should be monitored; these are not expensive techniques.
Two factor authentication should be implemented. In addition to a user name and password, a
biometric technology should be used. Biometric technology recognizes the identity of a person
using a behavioral or physical characteristic – fingerprint, palm print, iris pattern. If this were in
place, Snowden would not have been able to disguise his identity as a person with a higher
clearance.
Two person authorization should be required for high level system administrator tasks. It is more
difficult to commit a crime if more than one person is involved. This is in place in several
industries today. Some banks require two signatures for checks over $5,000; armored car
services require two people.
A limited number of privileged accounts needs to be implemented and routinely checked. Often,
organizations have too many insiders with more systems rights than needed. It was discovered
in 2010 that Bradley Manning, a private in the US Army stationed in Iraq had nearly unlimited
access to numerous databases. Bradley copied and leaked sensitive information (videos of
helicopter and air strikes, over 250,000 US diplomatic cables, and 500,000 army reports) to
WikiLeaks, a whistleblower web site. Many wonder why a soldier with the rank of a private had a
privileged account.
User events should be monitored and recorded. If a user is spending an unusually long time in
certain databases or logs-in at unusual hours, alerts should be sent. If a user is copying an
unusual amount of data an alert should be sent to senior management. Open source programs,
Logcheck and Logwatch, could have been used to possibly thwart the attack on Target’s loss of
40 million records. Open source programs are free and allow users to use the program as it is or
customize it.
58 Cyber Warnings E-Magazine – July 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
