Security Technology Executive

JUL-AUG 2015

Issue link: https://securitytechnologyexecutive.epubxp.com/i/557126

Contents of this Issue

Navigation

Page 31 of 39

32 SECURITY TECHNOLOGY EXECUTIVE • July/August 2015 www.SecurityInfoWatch.com "When reports like the GAO's come to light and point out the flaws in security at a critical agency like the FAA, it's very easy to climb up on a high horse and judge." TRANSPORTATION SECURITY have clear lines of responsibility. Security at the FAA is a serious problem, but it isn't clear who owns that problem. Problems without people to own them don't often find solutions. Processes and Practices Are Also a Security Focus The two most important elements of healthy cybersecurity are people and practices. We've seen the hints and headlines in the GAO report on FAA security about problems with person- nel. There are also quite a few that point to issues with the FAA security processes. Some of these concerns seem to be rooted in the ten- sions between making the IT systems work well for their users and trying to keep them secure at the same time. It's the classic tension between security and ease of use. Most of the "significant security control weaknesses" cited in the report are prob- lems that are all too common, problems which you will no doubt recognize as things your organization struggles with as well. Security is the art of con- trolling access. It's clear that the GAO thinks the FAA is failing to raise their security to an art form. After detailing several detailed failings, they sum up the overall issue: " Without adequate access controls, unau- thorized users, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain." Since we're dealing with the FAA, it's no sur- prise there's a focus on "malicious purposes." But the GAO is thorough here, and remembers that there are likely all manner of schemes that may plot to steal PII or leverage access to FAA systems to learn information to be used in other criminal enterprises (what could orga- nized crime do with the exact position of every private jet in the US skies?). While your organi- zation may not have to worry about managing data as interesting as that, there are other ele- ments here which speak to very common pro- cess issues. One that struck me was that this includes "former employees" as one of the classes of people that requires special attention. Provi- sioning, one of the operational origins of iden- tity management, has morphed into a critical security concern as systems have become more connected to each other and the outside world. Where a former employee was once only a con- cern if they kept a key and could sneak back onto systems in a building, today if not prop- erly deprovisioned a former employee could use their lingering access to do serious damage. Concerns about both deprovisioning former employees and changing access as users move within an organization is one of the most com- mon worries. The interconnectedness of systems is also a potential threat even if all the access is pro- visioned well. While granting users network access to systems produces huge benefits, it also creates risks. The GAO points out that "integrating critical infrastructure systems with information technology networks provides sig- nificantly less isolation from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats." You want to have users, espe- cially administrative users; able to do as much as possible from where they happen to sit. This allows you to recruit the best people wherever they may be, and let them work with the sys- tems where they can have the best impact. This falls into conflict immediately with good security practices, which want to isolate critical systems from as much potential harm as pos- sible. Here the FAA once again looks like just about every other organization on earth that attempts to harness the full power of IT. While many organizations may choose to simply take their lumps from their auditors on points like this in order to have the positive revenue ben- efits of highly networked systems, we are forced to ask if an organization with as critical a char- ter as the FAA's should also be allowed to make that choice. "Certain network devices supporting NAS systems did not always encrypt authentication data when transmitting them across the net- work and other systems did not always encrypt stored passwords using sufficiently strong encryption algorithms in compliance with FIPS 140-2," the GAO writes. Since most of us will never see the detailed report of the deficiencies, we have to guess at exactly what this means. If we continue to assume the FAA isn't that much different than other organizations, then we can make some educated guesses. Many times, third-party systems don't design as securely as we'd like. Systems developed by organizations for their own needs make the same errors. Both do this for the same rea- sons. Most systems aren't built to be perpetu- ally secure; they're built to fill a need. Again,

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - JUL-AUG 2015