Loose (Data) Sinks Ships — OpSec for the Information Age

More than a year ago I attended an on-line seminar for businesses that do business with federal agencies.  The speaker, in a refrain now heard quite often said:  “There are two types of businesses; those who have been hacked by the Chinese and those that don’t know they have been hacked by the Chinese.”  While there is a bit of hyperbole in that statement, it does make a valid point, and it is that all data with which we work in this new interconnected age of the internet and social media is vulnerable to being exposed to those who do not have a need to know if we don’t institute the right countermeasures.

And the issue isn’t just related to Chinese ambitions, though their efforts are significant.  For example, the semi-autonomous Red Hacker Alliance consists of a hacking army of at least 300,000 members.  Plus there are other state actors, terrorist organizations, and other equally dangerous threats among the run-of-the-mill identity and information theft hacking community.

Exhibit one along these lines has been floating in the news for a few weeks now and is the hacking of the servers at the Democratic National Committee by Russia.  Exhibit two is the hacking of election databases in Illinois and Arizona by the same hackers.

The infrastructure built around the cult of personality of Vladimir Putin in disrupting the political and international institutions that he views as a threat to his rule and international ambitions is both well documented and expansive.  For some time now Russia has been clandestinely funding extreme parties in Europe as part of its project to undermine faith in self-government and democracy there.  It is now clear that he has also set his sites on the United States electoral process as well.

With assistance from Fifth Columnists like alleged rapist Julian Assange of Wikileaks, who is still hiding out from Swedish due process in the Ecuadorian Embassy awaiting the statute of limitations to run out, Russian hackers have been selectively releasing e-mails, most mundane (John Podesta’s risotto recipe anyone?), but some embarrassing when removed from context, over the course of the current presidential campaign.

But this is headline news.  For those of us in the information management and software industry, what we should know is that just about anything is fair game to hackers beyond the sport of manipulating democracy, due process, and the free world, including privileged, proprietary, competition sensitive, and classified information.  Any system without a robust physical firewall or strategic areas that have an air gap from the network is vulnerable to hacking.  The infamous Chinese hack of the Office of Personnel Management (OPM) data breach demonstrates this clearly, even on what ostensibly appears to be the most secure data repositories.

So what does this tell us?

First, that data streams and data lakes must be reduced so that, aside from the economic benefits, data and information found in those repositories can be traced, categorized, and properly compartmentalized.  This suggestion does not preclude redundant backup systems to eliminate the danger of destruction, but it does keep bits of intelligence from being collected from different, ostensibly unrelated, sources.

Second, that the golden age of putting everything in the Cloud was a bad idea from the start.  I would go as far to say that most hosted, but especially HTML-based applications, at this point have so many security vulnerabilities, regardless of the assurances of software publishers and companies, that industry and government consumers should avoid them for their most sensitive data.  The criteria of the type of data this entails is that which, when given a data breach, would render the system or project completely compromised and represent an existential threat to the organization, or to the national security of the United States, or to its allies.

Third, computer hardware devices should have the same restrictions that we apply to access of data by individuals.  If the device does not support a need to know, then that device should be restricted from certain data.  Data networks should employ encryption, and using a VPN when accessing the internet or working remotely will help to provide a secure connection.

Fourth, where interfaces with the internet are integral to business operations, such as e-mail and data sharing, a minimum of 256-bit encryption should be deployed in transit and storage of communications and data.  Furthermore, two-step login authentication, user login salting and hashing, and other measures will also reduce the value of any hack if it occurs.  For example, the 2012 DropBox hack, which only became completely known last month, was auctioned on the Dark Web at only two bitcoins because the value of the user information was rendered almost valueless because of these very measures instituted by the company.

I would consider these four measures the bare minimum.  Note, however, that if a state sanctioned actor is involved, the chances are that they are going to employ several methods to obtain your data.  The most reasonable approach to take is to invoke the approach from the Second World War that “Loose Lips Sink Ships”.  Simply don’t volunteer operational information regarding your company, organization, or agency to those without a need to know.