Re: [Fwd: RE: Pentagon Hit by Unprecedented Cyber Attack]

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks () vt edu wrote:
> I was under the impression that at some of the nuclear weapons research sites,
> *all* media was removable, so that when you were done working with it, it
> was possible to unplug/remove the drive and put it back in the safe.
> And in fact, Los Alamos got raked over the coals recently when they had to
> admit that some of the drives didn't make it back into the safe.

Nuke sites are DoE, not DoD. :)

In this and similar cases of 'removable HDDs', the objective is to store
the 'system' in a vault. Before the days where the entire HDD was easy
to remove and lock up in a vault, you literally had to unplug the
computer case every day and haul the entire thing to the vault to be
locked up.

I consider that type of 'removable HDD' to be an entirely different and
totally unrelated issue. I am sure the this type of removable is not
covered by the reported ban on removable media. After all, in this case
you are securing the entire system, not introducing additional media to
a system.

> I'm looking at DoD 5220.22-M (Feb 2006 version), and I see on page 8-3-1:
>
> "C. Applicability of Logon Authentication. In some cases, it may not be
> necessary to use IS security controls as logon authenticators. In the case of
> stand alone workstations, or small local area networks, physical security
> controls and personnel security controls may suffice. For example, if the
> following conditions are met, it may not be necessary for the IS to have a
> logon and password:
>
>               (1) The workstation does not have a
>      permanent (internal) hard drive, and the
>      removable hard drive and other associated
>      storage media are stored in an approved security
>      container when not in use."
>
> Hmm... so that's saying that a workstation can be on a (presumably) classified
> network, and *NOT EVEN NEED A FRIKKING PASSWORD*, if it has *ONLY* removable
> media (and a few other requirements I didn't quote).  Of course, 5220.22-M
> is the set of rules that applies to DoD *contractors* - if you have a pointer
> to a *different* rule that applies directly to DoD networks, feel free to share.

I don't really have a problem with this case. Why? Several reasons:
  1) To get physical access to the device, you have to prove you have
the an adequate security clearance, you have to prove a 'need to know',
and you have to prove authorization.
  2) Usually in this type of situation, access to these devices is never
by a single individual. Almost always at least two people must be
present and quite often it is three -- and often all three must agree on
every action taken on the system.
  3) In a lot of these cases, the HDD would be to a real-time device
(such as a radar console) where you do not have authentication /
authorization. Physical access to the device is your authentication and
authorization.
  4) The physical security controls in most of these environments are
extreme. I have been places before where I have had to have three armed
guards accompany me everywhere, even including into the head to take a
leak! (Which was REAL interesting the day I had 3 female guards!)

Jon K
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkmu34ACgkQUVxQRc85QlMXYACfT4+bq/YBcZWBa8g3tSOZvoQn
5TsAn14GwMNEVnZnAu6SzyIgHEbzR8QK
=hcnG
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.