Small Vulnerabilities can lead to Catastrophic Results [part 1]

When it comes to security, most IT departments focus primarily on network and application security.

By now, we've all read news stories about vulnerabilities in various software and are familiar with the importance of preventing unwanted network traffic to important network resources. The importance of best practices in the realms of data loss prevention (DLP), media control, and physical security are often afterthoughts, considered to be of comparatively lesser importance until it is too late. It is the goal of this two-part blog post to demonstrate that IT departments would be best served by reconsidering this stance. To the contrary, DLP, media control, and physical security should be employed as the best defenses against breaches caused by ignorance, accident, or malice. In support of this argument are the below listed illustrative cases where seemingly small vulnerabilities in these realms have led to catastrophic results.

Few breaches have had their roots in as negligent a security policy as the case of Bradley Manning. A 23 year old specialist in the US Army, Manning had access to classified databases as part of his assignment as an intelligence analyst in Iraq. He was able to copy nearly 750,000 sensitive or classified documents to a re-writable CD labeled "Lady Gaga.” These documents were later made public via the website WikiLeaks.com. At the time this was the largest leak of confidential US military documents ever released to the public; the aftershocks are still felt today. Had the US Army implemented an effective DLP policy, Manning would have been prevented from copying the sensitive data to the CD-RW, and if there had been good physical security, Manning would have been prevented from bringing the CD-RW into the vicinity of the workstation with access to the classified databases. If media control policy had enforced encrypted data-at-rest, Manning would not have been able to access the stolen data off-site. Furthermore, a proper endpoint logging policy would have alerted Manning's superior officers of his attempt to remove data. Any one of these changes in operating procedure would have prevented the leak.

Though security breaches have sadly become commonplace, there have been few in history as precisely targeted as the Stuxnet worm. Believed to have been developed by US and Israeli governments in order to impede Iran's nuclear enrichment facility, Stuxnet displayed more sophistication than any other worm previously encountered. Still, the attack vector required a member of the enrichment facility to insert an infected USB stick into a vulnerable computer at the facility. If the Iranian nuclear enrichment facility had in place a good policy of physical security to prevent unauthorized removable media from entering the site or a good media control policy that would have prevented the USB stick from being accessed by the vulnerable system after it had been inserted, all of the efforts of the worm's developers would have been for naught.

One malicious security breach we have all heard of is the case of Edward Snowden, the NSA contractor who accessed over a million sensitive documents and leaked them to various news agencies around the world. Through the use of unauthorized thumb drives, Snowden was able to copy a trove of sensitive, classified data and move it off-site. He had access to do this because of his role as an administrator and because of his Top Secret clearance. If the NSA had a policy to control the use of removable media or a physical security policy that made certain that unauthorized media was not brought onto the premises, this breach might never have occurred.

At Cadre, we advise every customer to carefully consider their security policy as it relates to DLP, media control, and physical security, as the costs of inconsistent vigilance can be staggering.