If Woody Had Gone to the Police...

Tuesday, December 14, 2010

J. Oquendo


While the United States government awaits the next trove of released documents on WikiLeaks' website, I sit around pondering; what has the government learned, if anything with regards to security.

All I see coming out of the media and from government, is "WikiLeaks, WikiLeaks, Manning, Manning" and not once have I read an article, heard a news report where someone in the government took responsibility for allowing this fiasco in the first place.

So what has the government learned? Did they at least learn that defense in depth might have actually stopped Manning or someone else from pulling this caper off?

If we were to stop and think about this for a moment as security practitioners, the entire situation could have been avoided by implementing defense in depth. Had the United States military implemented something as simple as Data Loss Protection (DLP) combined with an SIEM, those cables might not have made it to WikiLeaks.

Had the military implemented oversight from those with the proper authority to audit against accessed data, this would have been avoided. Any decent SIEM would have triggered alerts, let alone having DLP.

When I think of security in regards to this, I am reminded of the old Woody Woodpecker episode: "If Woody had gone to the police... this would have never happened" The United States has the framework written in fact, the National Institute of Standards (NIST) has plenty of documentation on accomplishing this and similar goals. "How to protect your network 101." It is what billions of US tax dollars have gone to.

Let's have a quick look at FIPS-200[1] to see some of these eye popping failures however, before I go too far, while I could have chosen something more concise like AR 380-5 or DoD 5200.1-R, I decided to shy away from doing so, so should anyone care to e-mail me about this at some point, feel free but note that I am aware of the differences, etc. Besides, I could have typed up a whole slew of other acronyms (MACOM, DIACAP, DITSCAP, CDAP, OSINT, EPITS, JCMA) but it would likely lead to confusion at the end of the day. I chose FIPS.

Excerpts from FIPS-200 with comments:

Access Control (AC): Was Manning authorized to access ALL of the information that traversed his station. Who was it that implemented, authorized and validated this access? Obviously they failed. Is the military backtracking this process to ensure it does not occur or, will they simply perform typical due diligence: "Thou shall not bring an iPod into work!"

Awareness and Training (AT): Post information theft, is the military going back and training their staff and raising awareness to avoid future issues? There seems to be a lack of communication somewhere across military channels. How one individual can access so much data with such extreme types of clearance hierarchies, is puzzling. Regardless if the individual has TS clearance, is there a need to give everyone with TSC the keys to the kingdom?

Audit and Accountability (AU): Access control failed which means this auditing and accountability section also failed. It is time to hold staff responsible for their role in allowing situations like this to occur. Had the military held true to simple NIST frameworks, the likelihood of Manning being able to sift out information via an iPod would have been minimized. Why weren't Manning's actions flagged on any system. Surely the simplest of SIEM would have triggered an alert. Again, something as simple as DLP or an SIEM would have raised red flags all over the radar screens.

Certification, Accreditation, and Security Assessments (CA): Certification and Accreditation mean little to me. The reality of "certified, accredited" to me, mean little more than: "a shellgame of contractors scrubbing each others backs." Who is watching the watchers. Contracting is a very big business in the beltway and I find it difficult to believe that there is some mechanism in place to validate what is being certified. We have already seen that contractors too, have issues maintaining and security their own networks, let alone taking care of Ground Zero. Advanced Persistent Threat anyone? Titan Rain perhaps?

Risk Assessment (RA): This could be summarized as "not putting all of your eggs in one basket." Why is there no evidence of defense in depth at least. I am sure if there were, there would have been a snippet of it: "Luckily he wasn't able to access..." Where have all my tax dollars gone? Manning had access to information because of his job functions however, at what point in time did someone in the military review, or audit his accessibility to information. Why was one individual capable of not only reading without concern of being audited, but able to copy AND read information far beyond his scope of duties.

At what point in time are RA's done and how frequently are they done. Should reports hold true, Manning was already an outsider in his area. Did his superiors not see this. Were they too busy on their iPads to notice. Why haven't we even heard about who his superiors were?

System and Communications Protection (SC): Compartmentalizing what information traversed through the network could have placed much data outside of Manning's reach. The "Secret", "Top Secret", and "Classified" model seems to be outdated. In an environment as dynamic as politics, and military, even the highest ranking officials should NOT have access to all the eggs in one basket. Let alone a private.

Anyhow, I guess I will have to wait to see what kind of omelet will be made once all of these eggs in that one basket are scrambled. In the meantime, I don't necessarily blame Bradley Manning, I also blame those in military who are responsible for oversight. The security managers right on up to the generals.

[1] http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
[2] http://www.dtic.mil/whs/directives/corres/pdf/520001r.pdf

Possibly Related Articles:
SIEM WikiLeaks Pentagon DLP Defense in Depth
Post Rating I Like this!
Derrick Buxton I think you should refrain from jumping to conclusions. We do not know what information Mr. Manning had legitimate access to, therefore I think it inappropriate to make judgments on whether access controls were appropriate. I have issues with some of your other thoughts, and I would be happy to discuss them privately if you so desire.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.