Daniel E. Turissini | Another View: How to keep track of inside threats

Daniel E. Turissini

I was among those who attended the House Government Reform committee hearing in June regarding the theft of agency data from a Veterans Affairs employee's home. At the hearing, Clay Johnson, deputy director for management of the Office of Management and Budget, stated: 'The recent incident makes painfully obvious a long-known security risk'a single trusted individual can mistakenly, or intentionally, and very quickly, undo all of the sophisticated and expensive controls designed to safeguard our information and systems from attack.'

Jim Nicholson, secretary of Veterans Affairs, added that the occurrence 'has been a painful lesson,' and that he was committed to ensuring that VA had adequate training, with policies and procedures in place to assure that this will not happen again.

While training, policies and procedures are essential, one component that is also necessary is the concept of 'auditable' accountability. We are never going to attain the online security model we want and need until we implement the means to audit accountability. That is, establish an audit trail of electronic transactions that can be compared against policies and procedures. So when I do something electronically, I leave a digital trail that ensures my transaction is protected while also ensuring my privacy is upheld.

Everyone wants protection against the 'bad guys,' but what we really need to be cognizant of is protecting ourselves against the inside hacker and the inside mishaps. These are most often the cause of vulnerabilities and damaging events. It is essential we maintain controls that don't accept the excuse, 'I'm a good guy, and I've been here for 34 years, so I'm trustworthy.'

If secrets can be 'borrowed' or stolen, then they can be inadvertently shared. By having an auditable accountability mechanism, people will be more inclined to pay attention to what they're doing. It makes someone think, 'When I pull these data down, or embark on this specific activity, I will trigger notification to my supervisor via the audit report that forces a check on a weekly, daily or hourly basis. I'm leaving an audit trail of what I'm doing.' So it might stop that person from doing something stupid or at least make them think twice about it. Likewise, it prohibits, or at least inhibits, someone from doing something malicious.

But it takes more than software and the ability to trigger reports. Just as important are the hardware considerations, including a properly deployed public-key infrastructure. PKI digital certificates combined with hardware key protection (such as smart cards) are among the best ways to ensure accountability and mitigate security risks in a distributed environment.

Over the Internet, I have no idea who is on the other end of a keyboard. Unless I have a strong, mutual authentication and identity mechanism to trust, I can never be sure who is interacting with my data. With a government-approved PKI, I have my private key (issued based on the vetting of my identity) that nobody else can access, and so does the individual or computer entity on the other end. When I leave with my private key on my smart card, I leave with my digital identity, and no one else can access my data or pretend to be me. And, if I ever suspect my credential has been compromised, I can immediately revoke it and have it replaced with a new key. In today's open environment, we cannot rely on a user name and password to protect our resources and our privacy.

So it's not just about training and its not just about enforcing policies when a catastrophe occurs. It's about preventing them and mitigating the risk of these catastrophes or problems in the first place. The only way you can do that is by implementing an auditable system that holds everyone accountable for their own actions.

Daniel E. Turissini is president and CEO of Operational Research Consultants Inc. of Fairfax, Va. (turissd@orc.com).

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above