August 2009 Archives

Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.

Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.

Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.

Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?

Protecting classified information and secrets pertaining to national security is nothing new for those in the military. The practice dates back thousands of years, and is probably as old as organized defense and warfare. "Loose lips sink ships," etc.

Social networking sites such as Twitter, FaceBook, and MySpace present interesting new challenges and concerns around the problem of securing privileged military information. While most military personnel would be very careful about posting secret or classified information on a site like Facebook, there are less obvious ways that a malicious individual, organization, or nation could use information on social networking sites. A US Marine Corp order issued recently does a pretty good of describing the risks:

"[Social networking sites] in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries," the order reads. "The very nature of SNS [social networking sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage that puts OPSEC, COMSEC, personnel and MCEN at an elevated risk of compromise."

One only needs to do a quick Internet search for recent exploits launched through social networks to see the real risk they pose through malware infection. But the old tried and true tactics of web reconnaissance and educated password guessing are no less serious threats. In the case of military organizations, the risk becomes that much greater due to the value of the information on those networks and the stakes involved.

It is also interesting to contrast how the US Army and US Marine Corps have recently changed policies on this issue. The Army, after initially lifting a ban on social networking sites, has since considered re-blocking them. The Marines, on the other hand, just enacted a ban on social networking sites. Meanwhile, the Pentagon is now reviewing a possible ban which has the potential to set policy across the US Military.

I, for one, support the efforts to limit access to these sites from military networks. While social networking may be an increasingly important part of the way we all live and use the Internet, I'd just as soon err on the side of caution as it pertains to the military.