This post is part of a series in which we pull security stories right from the headlines and discuss their relevance to the eight domains of the CISSP® exam.
Read our previous posts in this series:
- Name That Domain: Risk Management
- Name That Domain: Password Best Practices
- Name That Domain: The Internet of Hackable Things
Name That Domain:
Top Secret NSA Leaks
The national saga over Russian election meddling continued this week with an explosive report, published by The Intercept on Monday. The report described a leaked top secret National Security Agency (NSA) document that provides a detailed account of Russian interference in the U.S. voting process, revealing the highly classified findings of a massive, ongoing intelligence investigation.
At the center of the story is the defense contractor responsible for the leak, who was arrested mere hours after the Intercept’s story hit the Web. Reality Leigh Winner, a 25-year-old Air Force linguist, fits the profile of the modern whistleblower: young, idealistic, and deeply embedded in the world of security. As in the cases of Chelsea Manning and Edward Snowden, a conversation about the ethics of spilling secrets to the press will likely surround the story. There’s a key difference, though, between previous leaks and this one: the manner in which Winner transmitted the documents to The Intercept.
Both Manning and Snowden were highly technical, using the military-grade encryption to securely communicate with publishing websites and journalists. By comparison, Winner’s covert methods were far more primitive. According to the Department of Justice affidavit filed against Winner, she allegedly printed out the report using an NSA office printer, tri-folded the documents, and walked out of the secure facility. She then anonymously mailed the physical report to The Intercept. Records on her work computer revealed email communications with the news outlet.
Winner’s OpSec was shoddy at best. But what about the NSA’s? The CISSP exam has a lot to say about security controls, found in Domains 2 and 7.
Domain 2: Asset Security
Not all information is created equal. Government agencies and private companies know this, so they use a straightforward process to manage their data. Both public and private entities use a simple question to determine the importance of data: If released, how much damage would it cause? The document in question, for example, was marked “Top Secret” – meaning, if released, the information will cause exceptionally grave damage to U.S. national security.
Information is described as “Top Secret,” “Secret,” and “Confidential” a lot in action movies, but these labels dictate many things, such as who can review the data, as well as how it is handled, stored, protected, and destroyed. These labels are ultimately designed to ensure more stringent access controls are used to protect the most valuable and sensitive information. It comes as no surprise that the leaked report received the highest level of government and military classification, but what is surprising is how easily Winner was able to print and remove the document from the NSA facility in Georgia.
Domain 7: Security Operations
The NSA employs the most knowledgeable and security-conscious among us; however, greater attention to technical access controls would have prevented the recent leak. Data Leak/Loss Prevention (DLP) software uses data classification labels to monitor networks for suspicious activity. This type of software looks for keywords and patterns in data as it is accessed by personnel (Data in Use) or moves across the network (Data in Motion).
Based on the timeline of events we now know, Winner’s actions could have been detected and prevented at two points. First, Winner accessed a document that she did not need to perform her daily work tasks; despite holding a “Top Secret” security clearance, she did not have a “need to know.” When Winner attempted to access the report, her behavior could have been flagged or blocked by proper access controls. The second instance is a more egregious access control sin: Winner was able to print the document, despite it being marked as Top Secret. Proper DLP software could have communicated with the printer that the document was Top Secret, and thus not fit for printing.
This case reminds security practitioners that data is only useful if it is used. While these technical controls provided a trail of records for the NSA to follow and sped up the agency’s internal leak investigation, at that point the damage had already been done. Real-time monitoring is costly and difficult to automate, but it may be necessary to protect the most important government secrets.
Real World Implications
After earning your CISSP certification, it’s tempting to become a cybersecurity “backseat driver,” poking holes in security operations at the highest levels of government. But, if you’re preparing for the CISSP exam, this skill can be valuable! By making connections, the content becomes more relevant, useful, and easier to remember. Learn more about CyberVista’s CISSP prep course here.
[Photo source Facebook.com]