Cyber Security: Less Advice, More Action
On the heels of a new policy recommendations and new audit recommendations for cyber security issues comes this news:
Tiversa employees found engineering and communications information about Marine One at an IP address in Tehran, Iran.
Bob Boback, CEO of Tiversa, said, "We found a file containing entire blueprints and avionics package for Marine One, ...
"What appears to be a defense contractor in Bethesda, MD had a file sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback said.
Tiversa also found sensitive financial information about the cost of the helicopter on that same computer.
Boback said someone from the company most likely downloaded a file-sharing program, typically used to exchange music, not realizing the potential problems.
"When downloading one of these file-sharing programs, you are effectively allowing others around the world to access your hard drive," Boback said.
Which drives home this point: Organization's associated with national security don't need more advice; they need better awareness, stronger control, and the will to act.
"Defense contractor in Bethesda" is code for a well known beltway bandit that needs no introduction. It is worth noting however that such organizations know a little bit about computer security given that they've also probably got a contract to advise the government on the topic. Still, they didn't realize that someone on staff was giving the RIAA or MPAA fits and at the same time leaking proprietary information about a craft that is supposed to carry the President of the United States.
I've no doubt that the firm in question has lots of security policies, but clearly they lack the ability to enforce them, or they choose to let a lot slide. Either way, it should come as no surprise that there is a major disconnect between the three-ring-binder full of policies collecting dust on a shelf and the reality of system defense.
All of this leads up to my argument that computer security is really just another checklist item for most organizations. Bought an AV solution? Check. Firewalls? Check. IDS? Check. An ArcSight license to watch it all? Check. Someone with "CISSP" after their name to run it all? Check. OK, we're good. Checklist compliance means nothing in the real world. Everyone with the power to act seems to forget that security isn't like the coffee service; sign a contract and as long as the joe is flowing everything is cool. For once, I'd like to see a business of any size or import focus on their security operation the way they do their A/R operation. Because you know the CEO doesn't know why Network+ might be important, but it's a lock he knows why Net 30 is important.