Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
1
Are You Safe From Lady Gaga?
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
2
Executive SummaryIs Lady Gaga a danger to your information?
Does the song “Telephone” put your IT at risk?
Data originates as the result of either employee entry or the manipulation of existing data. A recent estimate has the world
having over 281 Exabytes (one billion Gigabytes) of data (2.81 x 1020 bytes).
According to Wikipedia, information security involves “protecting information and information systems from unauthorized
access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.”
The cost of information security breaches can be catastrophic. There are a myriad of breaches and each has the potential for
primary and secondary damage. For example, information that is leaked, as will be covered later, continues to cause damage
with every secondary viewing, not to mention a loss of confidence in the information source.
There are no accurate estimates of the damage caused by information security breaches as many organizations try to hide this
embarrassing information. Occasionally, there are headlines touting some breach of credit card data and the publication of
such information into the public domain. Other times, hackers compromise data to protest or demonstrate the vulnerability of
protected systems, or simply to make a buck. Other times, hackers are your least concern – your most serious risks are much
closer to home: your trusted employees.
Information security rests primarily upon three tenets – a triangle of confidentiality, integrity and availability.
Argent for Security is designed to assist the modern enterprise with information security. This white paper covers the principle
triad of confidentiality, integrity and availability in light of the ability of Argent for Security to assist in the prevention of
information security breaches. Our assertion is that your greatest risk is on your payroll and that there are tremendous risks
with peripheral systems, principally flash drives and DVD/CD-ROMs, and their ability to assist the malcontent employee in
causing permanent systemic damage to information security via the capture and proliferation of secure information; the worst
case is you file Chapter 11.
This white paper is written for the technical manager and technical executive. There are concrete recommendations for further
study at the end of this white paper.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
3
IntroductionA peripheral is any device attached to a computing device where such peripheral is not a part of the core computing device,
such as CPUs or main storage. Peripherals are in abundance for various uses ranging from the storage of multimedia to the
augmentation of visual displays. In many cases, peripherals have the ability to persist data through onboard memory.
Information security, as mentioned previously, covers three basic concepts: confidentiality, integrity, and availability. Each
concept is balanced against the others and peripherals play a key role within the framework. For reasons as shall be seen, they
are particularly vulnerable to breach and therefore require extra protection.
Julius Caesar invented the Caesar cipher in approximately 50 B.C. His intention was to prevent the viewing of confidential
information intended for his generals by enemies of Rome (or perhaps even friends if outside of the military). Caesar was aware
that information would be transmitted over long distances “in the clear” and thus subject to disruption and capture. If captured,
the basic encryption would provide confidentiality while the information would remain available.
As modern enterprise adopted the computer, confidential information began to become digitized and stored. In the 1950s, a
simple method of data integrity was to store all data in a single location and then provide secure access to the location. The
term “server closet” came to signify in certain cases the isolation of data to prevent a security breach.
During the 1950s and lasting through the 1970s, data storage and generation was prohibitively expensive and thus much
simpler to protect, generally in a glass-walled central computer room where physical security was all that was needed.
Storage devices could not fit into one’s pockets – a 100 megabyte state-of-the-art 3330 IBM disk was the size of 15 jumbo
pizza boxes glued together. If information required protection, businesses and government would focus more on security
clearance applications and the surveillance of potential breaches by personnel. The human memory was one of the key tools
for violating information security protocols, or in certain cases, a small camera for photographing secure documents.
In the 1980s, two innovations altered the information security requirements. First, networked access to information turned
data protection on its head – critical confidential information had migrated from the glassed-in mainframe behemoth. Now,
information had the potential for theft and compromise at any terminal or client machine with the ability to download or transfer
sensitive information. This could be to another room or another country. Second, peripherals began to become smaller and yet
increased in capacity.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
4
Now, peripherals could fit inside one’s pocket and thus could store whatever data could be transferred from a secure system.
Many enterprises would deploy diskless workstations to prevent information compromise, but at the same time many provided
no protection at all. And peripherals began to possess the ability to magnify the damage of a single breach with the ability to
hold an extensive amount of information, not only text but also video and audio.
As a result of these two developments, many new threats have emerged in terms of confidentiality, integrity and availability.
Recently, there is a primary example that also illustrates why products like Argent for Security are essential for all enterprises.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
5
Lady Gaga And The Big BreachIf a computing system – of any size or type – allows peripheral connections, there are inherent risks. In information security,
peripheral storage helped to generate the largest breach of confidential information in history.
Here’s how.
SIPRNet is a private, classified network in use throughout the U.S. Department of Defense. It is implemented as a separate
network to help make it more secure. As a separate network, it maintains Top Secret data and is protected worldwide through
a separate system of hardware. It is supposedly monitored much more extensively and only personnel with Top Secret security
clearance are allowed access and use; there are 854,000 Top Secret clearance holders; the total population of Washington D.C.
is 600,000.
The Department of Defense employed extensive protective measures around personnel and systems to maintain the
confidentiality of information. Billions of dollars have been spent in building and extending the network to bases globally,
including both public and private government facilities.
Unfortunately, many devices connected to SIPRNet included peripheral access. And so one person with access to the network
was able to imitate a casual employee listening to music while filling up CDs with Top Secret data, CDs that were eventually
leaked to WikiLeaks and ultimately to the public. The fallout is continuing and it has led to massive global upheaval for the
Department of State of the United States, among other government organizations.
How was one person able to cause such a phenomenal breach? Simply by lip-syncing and thus convincing fallible personnel
that he was only listening to music. Ironically, if the military had used Argent for Security, they would have been able to monitor
file creation, deletion, renaming and other changes on the CD device. Argent for Security would have been able to alert security
personnel within 90 seconds of the start of the breach (remember, burning these “Lady Gaga” CDs took many hours).
The person who did this clearly had a plan – he decided that he would use popular music to abscond with government secrets.
In Iraq, it’s said he donned a pair of headphones and a CD emblazoned with the image of Lady Gaga and went nonchalantly
in to work. Then, he plopped in the CD and would pretend to listen to songs like “Telephone” and, while lip-synching, steal
government secrets by burning them onto his CDs.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
6
Why then would the world’s largest military fail to employ basic monitoring in support of information security? This is an
interesting question. Certainly information confidentiality was supported by the very design of SIPRNet. The separate network
allowed a certain level of transport security.
Apparently, the military felt that visual monitoring could be effective, but the visual monitoring was fallible and missed the actual
machine activity. Typically, large government agencies suffer an explosive mixture of hubris and bureaucracy. And this is true of
large government agencies in any country – the U.S. is not unique.
Another example is the failure to encrypt the data feeds from airborne drones and indeed most U.S. military aircraft – “we
thought the terrorists would not have this level of sophistication…” was the official explanation. ROVER proved to be a mutt
(see the hyperlink at the end of this white paper for details).
As a result of this fallibility, over 200,000 Top Secret files were copied and then exposed. Stunningly, if the person apparently
responsible for the breach had not boasted to another individual in an interactive chat dialogue, the identity of the
perpetrator might have remained a mystery. Careful monitoring of all peripheral usage is an essential part of the information
security framework.
It took one person with a set of rewritable CD’s to alter the course of information security in the U.S. Government. There can
be no denial that information security in terms of peripherals is absolutely critical. In this case, it might actually cost lives in the
breach of it.
In a less terrifying example, what happens when someone inserts a USB drive into a USB port and copies corporate trade
secrets just before resigning or being fired? In many cases, this breach might go undetected without proper monitoring. All
that would be seen is that the competition suddenly just became more competitive; sure – now they know your pricing, plans,
designs, proposals, new products, and compensation plans.
“Lady Gaga” CDs was the method but the modern ability to listen to music provided the opportunity. Peripherals provided the
means for the soldier to copy and steal. While availability of peripherals might be restricted, there are times when it cannot be.
This leads to a discussion of the benefits and disadvantages of host-based security solutions.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
7
Parasites Love HostsEvery host is subject to parasites. A host in the computing world can be any device with computing capability, from a server to
a desktop to a laptop. Host-based security is mandatory in any environment seeking to protect confidential data.
Argent for Security includes the ability to monitor host-based events like the plugging in and unplugging of a USB device and
the loading and unloading of CD-ROM media. As such, it is an essential and critical tool for any host environment. At the same
time, there are also some common-sense steps that any enterprise should take today but are generally ignored.
Imagine that there is an outbreak of a parasitic virus. If it can find new hosts, it attaches itself to them and performs a specific
function to extract and transmit sensitive data. What can it do if there is no sensitive data to extract? Its presence is then, by
definition, benign. If it has no ability to extract the data, there is an opportunity to identify and eliminate it without cost.
Many organizations approach the problem by spending exorbitant amounts on protecting every single host in every location.
Then a salesperson comes along and downloads data in 10 minutes to their iPhone and single-handedly compromises the
entire paradigm. They go to a client site and transmit the data via Bluetooth to a competitor.
How is that possible?
Very simply, is the sad answer.
How is it that a single person can defeat an entire security practice? This is because the data is the value and the information
security approach is systemic rather than focused on the data itself.
In the example of SIPRNet, the fundamental issue was the access of the single individual to a massive amount of information
that was not relevant to his function – all 854,000 people with Top Secret clearance had access as mentioned above, the entire
population of Washington D.C. is 600,000. The data was present for any employee and available for transfer to any
authenticated employee. Much like a traitor inside the city walls, the single person simply opened the castle gates and threw
the critical information directly to the enemy. In fact, there were so many copies of the data inside the castle walls that his
usage of it went unmonitored and unnoticed.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
8
Information security experts often view the problem as one of having just enough monitors, as opposed to restricting the actual
data to a manageable number of locations. If you have a thousand mobile devices to monitor, how can you be certain that they
will not be left behind at a bar, as the iPhone 4G was and thus resulted in a leak of the technology prior to release?
Laptops and mobile devices routinely travel outside of the enterprise castle. They travel along open routes and they are very
difficult to manage. There are strategies for locking them down. One of the best strategies is information gathering as opposed
to lockdown.
Argent for Security follows the best practice: Argent tracks usage and immediately alerts anomalies. Give the information
security team an opportunity to assess the threat, as opposed to counting on the castle wall to hold when opened from the
inside.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
9
Information Security Walls Can Always Be Breached Easier From The InsideMany organizations take the approach that the best method of preventing data compromise is controlling the external access
and usage of a host and peripheral device. If you build a wall high enough, it cannot be breached. Unfortunately, this strategy
so commonly falls flat that it is nearly a punch-line at industry parties, or as Napoleon told us: “fixed fortifications are
monuments to the stupidity of man.”
For example, Sony invested heavily in copy protection for its CDs back in the early 2000s. As a result, the software actually
made it easier for Windows systems to become compromised. In addition, the simple way to overcome the protection was to
hold down the Shift key on the keyboard during insertion of the CD.
The music industry has been far more successful utilizing other strategies, such as licensing to iTunes, use of streaming rather
than downloading, and the investigation of P2P systems like Napster. It is far easier to detect a breach by the flow of
information than to prevent it in the first place. There are many more examples.
Argent for Security has the right philosophy: report and immediately alert on suspicious activity. This is a step that proves to be
far more effective than steps that simply attempt to build firewalls that can be spoofed and breached. Organizations often build
firewalls just to have an employee take very expensive confidential data home and leave their laptop on a train; in a recent case,
an employee of a government agency in Australia left a memstick on a bus.
A different example altogether is that of the Mafia within the United States. For decades, the federal government and state and
local governments all passed laws making many of the activities of the Mafia illegal. And yet the activities continued. Silence
was bought and paid for and information was difficult to obtain. What gave governments the ability to finally begin to prevail
was a series of production by informants, those that would take confidential data and transmit it outside of the walls of the
Mafia castle. The most damaging breach of confidential information comes from within the confidential environment.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
10
Profiling is Safe and Beneficial and EssentialSociety abhors certain types of social profiling as the first step to Orwell’s 1984. However, data profiling is benign and
essential.
What exactly is data profiling? Data profiling is simply the analysis and identification of patterns based on a logical algorithm.
In the case of Argent for Security, data profiling is the use of custom logic using WMI or PowerShell.
Data profiling results in the identification of patterns. For example, an employee would appear to be performing a print function
to a device that appears to be a Linux server rather than a printer. This pattern should raise flags and result in further
investigation.
Viruses have a profile. Like differential diagnosis in medicine, there is a unique signature of every virus and employing profiling
can identify a potential infection. Medical analogies apply throughout information security practice because the viruses in a
human population and a population of computers propagate in precisely the same manner; compare the 1919 “Spanish” flu
with Nimda (“Admin” spelled backwards).
Back in the 1980s, there was a hacker in upstate New York who used a library account with a university to spoof their identity
and then perform various hacking functions because the library was trusted within its own network. The library was trusted,
but the behavior of the hacker carried a signature that was capable of rapid identification and intrusion detection - data profiling
would have detected this before the damage was done.
The Internet is now the heart of most companies. But the Internet brings a multitude of threats and they cannot all be mitigated
simply by access control. Data auditing is central to figuring out the Five Ws: Who, What, When, Where, and Why.
After a crime is committed, the authorities only have forensic investigation at their disposal. They can ask what happened, but
they rely on patterns and evidence to lead them to an explanation. Environmental recordings and people’s memories are the
primary tool of the investigator to piece together what happened.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
11
“Trust But Verify” – Trust Your Logs, Not Your PoliciesPolicy and procedure are the Snoopy blanket of many companies – they give a warm feeling but with marginal real benefit. If
you train employees on how to protect data and report on breaches, it is better than being without a policy. At the same time,
while an employee might violate policy, an application will not (absent being hijacked).
In contrast to Snoopy’s blanket, your computer logs are honest and impartial, cold and analytical. Argent for Security writes
directly to your servers’ logs with precise and specific details related to information access and usage. Those logs report what
employees sometimes do not: that they downloaded or copied information that violates policy.
The solider in the WikiLeaks case most assuredly was aware that policy forbade his activities. But, the log entries apparently
did not report what were his precise activities. The consequence of relying on policies and procedures in this case is absolutely
devastating.
Trust is sometimes misplaced, and not for obvious reasons. For example, an executive secretary might become ill and take
home sensitive correspondence, in violation of company policy, and not disclose this for fear of reprimand or dismissal. The
human conscience overrides policy in numerous cases. A log entry recording the transfer using Argent for Security would result
in an information security team able to intervene or at least protect the executive secretary by assisting them with extra support.
Whatever the remedy, it is not possible if no one knows about the breach of policy.
The expression from Victorian England, “Hell Hath No Fury Like A Woman Scorned” can be modernized as “Hell Hath No Fury
Like An Ex-Employee Scorned.” As a result, at any given time there might be policy breaches for any number of reasons. Very
few of the reasons involve compliance with policy. However, once again, logs store precious information that can immediately
alert the information security team.
Logs permit identifying correlations, trends and predictors. Correlations, trends and predictors are tools that make your data
secure. For example, log entries show that a number of flash drives are being used to copy data onto desktop systems from
laptop systems. This might be a predictor that there are issues with data transfer within the network or that remote employees
leverage both laptops and desktops, resulting in data compromise. Either way, the log entries can assist in your long-range
information security planning.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
12
You need lots of arrows in your quiver – relying on a single set of prevention tools is not an ideal practice. A castle with secure
walls will be assessed and eventually the enemy will figure out that they don’t have to invade, but encircle it and capture anyone
going in or out. Eventually the castle will fall. Building a monolithic defense is not going to solve the list of long-term threats.
Threats adapt and modify themselves over time. Vigilant awareness of potential threats will always be a superior practice.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
13
ConclusionSecurity of your information is a triad balancing confidentiality, integrity and availability. The vertex of confidentiality and
availability have been the focus of our discussion, more so than integrity. Confidentiality is most often the primary concern of an
organization, with availability the countervailing requirement that places confidentiality most at risk.
Confidentiality has many sound practices, including limiting the proliferation of data, encrypting it and otherwise restricting
access. Availability is much more common with the Internet and the ability of an average employee to employ multiple devices
for data processing. The modern employee might have a desktop, laptop, tablet PC and mobile handset.
One essential tool in your arsenal is Argent for Security. With Argent for Security, you can:
• Audit USB plug/unplug events
• Audit CD-ROM load/unload events
• Audit peripheral file creation, deletion, renaming and changes, along with tracking them against host devices
• Enter information directly into Windows event logs
• Create custom logic using WMI or PowerShell scripts
Why does it matter? Because if you think it does not, imagine how much it matters to the United States Government that the
200,000 leaked documents have become fodder for the civilized world for a period of months and likely years to come. All
accomplished by a single employee lip-synching to Lady Gaga while quietly violating policy and using a peripheral device to
obtain data to which he had no right, all the while under the visual scrutiny of peers. It boggles the mind that a single person
would be capable of so much damage to information security when the information itself resided on a supposedly secure
network with supposedly secure machines.
Lady Gaga and popular culture bring in peripheral challenges. For a song, a single soldier caused massive damage. Only
Change Is Constant – it’s a telling example of the power of new products and services to challenge traditional information
security methods.
Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information
14
It is a cautionary tale and one that deserves the utmost attention, lest you think it cannot occur within your own organization.
Ask yourself this key question: which you are more confident about, that a server will not allow an
unauthenticated employee to access data or that an employee will not leave the office with mission-critical
data in violation of a signed security policy?
It is foolhardy to create a Maginot line when the enemy has parachutes; Napoleon’s dictum applies again. It is also foolhardy
to believe that firewalls and routers are a bigger threat than your own employees. Appropriate monitoring and data auditing are
your most powerful tools, as opposed to building a high wall designed to withstand a spear and cannon attack. Each threat is
more effective than the last, and you still have to have a vulnerable entrance and exit.
Security technology needs an overhaul in light of modern threats. Enterprises are attempting to adjust to a world with iPads,
iPhones, Google laptops, and Android devices. Progress cannot be stopped and must be met with adaptability and flexibility.
Start now by auditing data and monitoring your environment effectively with Argent solutions, including Argent for Security.
With two decades of monitoring experience, Argent can have all your desktops and servers completely monitored in two or three
days, not months. And, in contrast to many vendors, Argent never charges for a Proof of Concept.
For more information and for a free Security Consultation with a trained Argent Security Engineer, please email
[email protected] or visit www.Argent.com.
Further Reading
www.wired.com/dangerroom/2009/12/not-just-drones-militants-can-snoop-on-most-us-warplanes
http://projects.washingtonpost.com/top-secret-america/articles/national-security-inc
http://projects.washingtonpost.com/top-secret-america/articles/a-hidden-world-growing-beyond-control
Note: ARB Intellectual Property Holdings Limited has created this document for informational purposes only. ARB Intellectual Property Holdings Limited makes no warranties,
express or implied, in this document. The information contained in this document is subject to change without notice. ARB Intellectual Property Holdings Limited shall not be
liable for any technical or editorial errors, or omissions contained in this document, nor for incidental, indirect or consequential damages resulting from the furnishing,
performance, or use of the material contained in this document, or the document itself. All views expressed are opinions of ARB Intellectual Property Holdings Limited. All
trademarks are the property of their respective owners.