Archives
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
Categories
- Congress
- Defense
- General News
- Health
- Health IT
- Homeland Security
- IBM suspension
- Industry
- Info Security
- Intelligence
- International
- IT management
- Law
- OMB
- Oversight
- Policy
- Politics
- Privacy
- Procurement
- Program Management
- Project management
- Risk management
- Security
- Spending
- State and Local
- Technology
- Telecommunications
- Tip Thursday
- Virtual World
- Web
- White House
- Wireless
- Workplace
What's happening in the federal IT community
By Tuesday, March 11, 2008 | 9:23 AM
Most of us who have taught information security at one time or another have relied on the C-I-A mnemonic to help our students think of the multiple dimensions of information security. Confidentiality, Integrity and Availability are well understood to be the ways one should view the task of information protection.
But well over 90 percent of FedWorld dialogue about security of the U.S. government enterprise is about confidentiality – preventing unauthorized access to sensitive information – though the other two aspects are arguably more important.
The most common example of a confidentiality compromise is a hacker who “breaks in” a government Web site (often by exploiting a well-publicized and long-patched operating system or application vulnerability). If the hacker leaves a calling card by defacing the site, the event is quickly detected (even though no official information may have been “stolen”). But detecting unauthorized access without such obvious evidence requires lots of expensive hard work – protecting the integrity and availability of various logs, making sure log servers are always running when log events must be recorded, analyzing every log every day for anomalous events, and storing log data in unalterable form for long times. How much federal guidance is provided on the question of protecting log servers and log data, versus, for example, laptop encryption?
I submit that the more serious threats to agency data and mission seldom involve a bad guy trying to break in, but more mundane events like failure of a device that corrupts data while being written to disk (undetected by the application, OS, or drive electronics), the power failure that blows out a router, the user who loses her purse with her written password in it, and so forth. Please note that protecting against these non-exploit vulnerabilities requires some pretty substantial outlays.
Seems to me that FedWorld doesn’t worry enough about compromises that – intentionally or not -- involve corrupting non-confidential information (with or without “stealing” it). For example, if a Commerce Department Web site or network were compromised (intentionally or not) and the event changed data in a public economic report, the effect on agency credibility could far exceed the effects of leaving some agency personnel records in a taxi ... especially if the changed data were detected not by Commerce, but by the Wall Street Journal.
Information and mission assurance requires FedWorld residents to think about and act on all three aspects of operational and information security reflected in the CIA acronym.