Are You Safe From Lady Gaga? - files.ctctcdn.comfiles.ctctcdn.com/23e572b4101/0083bb9c-b280-4a0f-9... · Then, he plopped in the CD and would pretend to listen to songs like “Telephone”

Are You Safe From Lady Gaga? Trade Secret of ARB Intellectual Property Holdings Limited Proprietary Information

1

Are You Safe From Lady Gaga?

.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


2

Executive SummaryIs Lady Gaga a danger to your information?

Does the song “Telephone” put your IT at risk?

Data originates as the result of either employee entry or the manipulation of existing data. A recent estimate has the world

having over 281 Exabytes (one billion Gigabytes) of data (2.81 x 1020 bytes).

According to Wikipedia, information security involves “protecting information and information systems from unauthorized

access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.”

The cost of information security breaches can be catastrophic. There are a myriad of breaches and each has the potential for

primary and secondary damage. For example, information that is leaked, as will be covered later, continues to cause damage

with every secondary viewing, not to mention a loss of confidence in the information source.

There are no accurate estimates of the damage caused by information security breaches as many organizations try to hide this

embarrassing information. Occasionally, there are headlines touting some breach of credit card data and the publication of

such information into the public domain. Other times, hackers compromise data to protest or demonstrate the vulnerability of

protected systems, or simply to make a buck. Other times, hackers are your least concern – your most serious risks are much

closer to home: your trusted employees.

Information security rests primarily upon three tenets – a triangle of confidentiality, integrity and availability.

Argent for Security is designed to assist the modern enterprise with information security. This white paper covers the principle

triad of confidentiality, integrity and availability in light of the ability of Argent for Security to assist in the prevention of

information security breaches. Our assertion is that your greatest risk is on your payroll and that there are tremendous risks

with peripheral systems, principally flash drives and DVD/CD-ROMs, and their ability to assist the malcontent employee in

causing permanent systemic damage to information security via the capture and proliferation of secure information; the worst

case is you file Chapter 11.

This white paper is written for the technical manager and technical executive. There are concrete recommendations for further

study at the end of this white paper.


3

IntroductionA peripheral is any device attached to a computing device where such peripheral is not a part of the core computing device,

such as CPUs or main storage. Peripherals are in abundance for various uses ranging from the storage of multimedia to the

augmentation of visual displays. In many cases, peripherals have the ability to persist data through onboard memory.

Information security, as mentioned previously, covers three basic concepts: confidentiality, integrity, and availability. Each

concept is balanced against the others and peripherals play a key role within the framework. For reasons as shall be seen, they

are particularly vulnerable to breach and therefore require extra protection.

Julius Caesar invented the Caesar cipher in approximately 50 B.C. His intention was to prevent the viewing of confidential

information intended for his generals by enemies of Rome (or perhaps even friends if outside of the military). Caesar was aware

that information would be transmitted over long distances “in the clear” and thus subject to disruption and capture. If captured,

the basic encryption would provide confidentiality while the information would remain available.

As modern enterprise adopted the computer, confidential information began to become digitized and stored. In the 1950s, a

simple method of data integrity was to store all data in a single location and then provide secure access to the location. The

term “server closet” came to signify in certain cases the isolation of data to prevent a security breach.

During the 1950s and lasting through the 1970s, data storage and generation was prohibitively expensive and thus much

simpler to protect, generally in a glass-walled central computer room where physical security was all that was needed.

Storage devices could not fit into one’s pockets – a 100 megabyte state-of-the-art 3330 IBM disk was the size of 15 jumbo

pizza boxes glued together. If information required protection, businesses and government would focus more on security

clearance applications and the surveillance of potential breaches by personnel. The human memory was one of the key tools

for violating information security protocols, or in certain cases, a small camera for photographing secure documents.

In the 1980s, two innovations altered the information security requirements. First, networked access to information turned

data protection on its head – critical confidential information had migrated from the glassed-in mainframe behemoth. Now,

information had the potential for theft and compromise at any terminal or client machine with the ability to download or transfer

sensitive information. This could be to another room or another country. Second, peripherals began to become smaller and yet

increased in capacity.


4

Now, peripherals could fit inside one’s pocket and thus could store whatever data could be transferred from a secure system.

Many enterprises would deploy diskless workstations to prevent information compromise, but at the same time many provided

no protection at all. And peripherals began to possess the ability to magnify the damage of a single breach with the ability to

hold an extensive amount of information, not only text but also video and audio.

As a result of these two developments, many new threats have emerged in terms of confidentiality, integrity and availability.

Recently, there is a primary example that also illustrates why products like Argent for Security are essential for all enterprises.


5

Lady Gaga And The Big BreachIf a computing system – of any size or type – allows peripheral connections, there are inherent risks. In information security,

peripheral storage helped to generate the largest breach of confidential information in history.

Here’s how.

SIPRNet is a private, classified network in use throughout the U.S. Department of Defense. It is implemented as a separate

network to help make it more secure. As a separate network, it maintains Top Secret data and is protected worldwide through

a separate system of hardware. It is supposedly monitored much more extensively and only personnel with Top Secret security

clearance are allowed access and use; there are 854,000 Top Secret clearance holders; the total population of Washington D.C.

is 600,000.

The Department of Defense employed extensive protective measures around personnel and systems to maintain the

confidentiality of information. Billions of dollars have been spent in building and extending the network to bases globally,

including both public and private government facilities.

Unfortunately, many devices connected to SIPRNet included peripheral access. And so one person with access to the network

was able to imitate a casual employee listening to music while filling up CDs with Top Secret data, CDs that were eventually

leaked to WikiLeaks and ultimately to the public. The fallout is continuing and it has led to massive global upheaval for the

Department of State of the United States, among other government organizations.

How was one person able to cause such a phenomenal breach? Simply by lip-syncing and thus convincing fallible personnel

that he was only listening to music. Ironically, if the military had used Argent for Security, they would have been able to monitor

file creation, deletion, renaming and other changes on the CD device. Argent for Security would have been able to alert security

personnel within 90 seconds of the start of the breach (remember, burning these “Lady Gaga” CDs took many hours).

The person who did this clearly had a plan – he decided that he would use popular music to abscond with government secrets.

In Iraq, it’s said he donned a pair of headphones and a CD emblazoned with the image of Lady Gaga and went nonchalantly

in to work. Then, he plopped in the CD and would pretend to listen to songs like “Telephone” and, while lip-synching, steal

government secrets by burning them onto his CDs.


6

Why then would the world’s largest military fail to employ basic monitoring in support of information security? This is an

interesting question. Certainly information confidentiality was supported by the very design of SIPRNet. The separate network

allowed a certain level of transport security.

Apparently, the military felt that visual monitoring could be effective, but the visual monitoring was fallible and missed the actual

machine activity. Typically, large government agencies suffer an explosive mixture of hubris and bureaucracy. And this is true of

large government agencies in any country – the U.S. is not unique.

Another example is the failure to encrypt the data feeds from airborne drones and indeed most U.S. military aircraft – “we

thought the terrorists would not have this level of sophistication…” was the official explanation. ROVER proved to be a mutt

(see the hyperlink at the end of this white paper for details).

As a result of this fallibility, over 200,000 Top Secret files were copied and then exposed. Stunningly, if the person apparently

responsible for the breach had not boasted to another individual in an interactive chat dialogue, the identity of the

perpetrator might have remained a mystery. Careful monitoring of all peripheral usage is an essential part of the information

security framework.

It took one person with a set of rewritable CD’s to alter the course of information security in the U.S. Government. There can

be no denial that information security in terms of peripherals is absolutely critical. In this case, it might actually cost lives in the

breach of it.

In a less terrifying example, what happens when someone inserts a USB drive into a USB port and copies corporate trade

secrets just before resigning or being fired? In many cases, this breach might go undetected without proper monitoring. All

that would be seen is that the competition suddenly just became more competitive; sure – now they know your pricing, plans,

designs, proposals, new products, and compensation plans.

“Lady Gaga” CDs was the method but the modern ability to listen to music provided the opportunity. Peripherals provided the

means for the soldier to copy and steal. While availability of peripherals might be restricted, there are times when it cannot be.

This leads to a discussion of the benefits and disadvantages of host-based security solutions.


7

Parasites Love HostsEvery host is subject to parasites. A host in the computing world can be any device with computing capability, from a server to

a desktop to a laptop. Host-based security is mandatory in any environment seeking to protect confidential data.

Argent for Security includes the ability to monitor host-based events like the plugging in and unplugging of a USB device and

the loading and unloading of CD-ROM media. As such, it is an essential and critical tool for any host environment. At the same

time, there are also some common-sense steps that any enterprise should take today but are generally ignored.

Imagine that there is an outbreak of a parasitic virus. If it can find new hosts, it attaches itself to them and performs a specific

function to extract and transmit sensitive data. What can it do if there is no sensitive data to extract? Its presence is then, by

definition, benign. If it has no ability to extract the data, there is an opportunity to identify and eliminate it without cost.

Many organizations approach the problem by spending exorbitant amounts on protecting every single host in every location.

Then a salesperson comes along and downloads data in 10 minutes to their iPhone and single-handedly compromises the

entire paradigm. They go to a client site and transmit the data via Bluetooth to a competitor.

How is that possible?

Very simply, is the sad answer.

How is it that a single person can defeat an entire security practice? This is because the data is the value and the information

security approach is systemic rather than focused on the data itself.

In the example of SIPRNet, the fundamental issue was the access of the single individual to a massive amount of information

that was not relevant to his function – all 854,000 people with Top Secret clearance had access as mentioned above, the entire

population of Washington D.C. is 600,000. The data was present for any employee and available for transfer to any

authenticated employee. Much like a traitor inside the city walls, the single person simply opened the castle gates and threw

the critical information directly to the enemy. In fact, there were so many copies of the data inside the castle walls that his

usage of it went unmonitored and unnoticed.


8

Information security experts often view the problem as one of having just enough monitors, as opposed to restricting the actual

data to a manageable number of locations. If you have a thousand mobile devices to monitor, how can you be certain that they

will not be left behind at a bar, as the iPhone 4G was and thus resulted in a leak of the technology prior to release?

Laptops and mobile devices routinely travel outside of the enterprise castle. They travel along open routes and they are very

difficult to manage. There are strategies for locking them down. One of the best strategies is information gathering as opposed

to lockdown.

Argent for Security follows the best practice: Argent tracks usage and immediately alerts anomalies. Give the information

security team an opportunity to assess the threat, as opposed to counting on the castle wall to hold when opened from the

inside.


9

Information Security Walls Can Always Be Breached Easier From The InsideMany organizations take the approach that the best method of preventing data compromise is controlling the external access

and usage of a host and peripheral device. If you build a wall high enough, it cannot be breached. Unfortunately, this strategy

so commonly falls flat that it is nearly a punch-line at industry parties, or as Napoleon told us: “fixed fortifications are

monuments to the stupidity of man.”

For example, Sony invested heavily in copy protection for its CDs back in the early 2000s. As a result, the software actually

made it easier for Windows systems to become compromised. In addition, the simple way to overcome the protection was to

hold down the Shift key on the keyboard during insertion of the CD.

The music industry has been far more successful utilizing other strategies, such as licensing to iTunes, use of streaming rather

than downloading, and the investigation of P2P systems like Napster. It is far easier to detect a breach by the flow of

information than to prevent it in the first place. There are many more examples.

Argent for Security has the right philosophy: report and immediately alert on suspicious activity. This is a step that proves to be

far more effective than steps that simply attempt to build firewalls that can be spoofed and breached. Organizations often build

firewalls just to have an employee take very expensive confidential data home and leave their laptop on a train; in a recent case,

an employee of a government agency in Australia left a memstick on a bus.

A different example altogether is that of the Mafia within the United States. For decades, the federal government and state and

local governments all passed laws making many of the activities of the Mafia illegal. And yet the activities continued. Silence

was bought and paid for and information was difficult to obtain. What gave governments the ability to finally begin to prevail

was a series of production by informants, those that would take confidential data and transmit it outside of the walls of the

Mafia castle. The most damaging breach of confidential information comes from within the confidential environment.


10

Profiling is Safe and Beneficial and EssentialSociety abhors certain types of social profiling as the first step to Orwell’s 1984. However, data profiling is benign and

essential.

What exactly is data profiling? Data profiling is simply the analysis and identification of patterns based on a logical algorithm.

In the case of Argent for Security, data profiling is the use of custom logic using WMI or PowerShell.

Data profiling results in the identification of patterns. For example, an employee would appear to be performing a print function

to a device that appears to be a Linux server rather than a printer. This pattern should raise flags and result in further

investigation.

Viruses have a profile. Like differential diagnosis in medicine, there is a unique signature of every virus and employing profiling

can identify a potential infection. Medical analogies apply throughout information security practice because the viruses in a

human population and a population of computers propagate in precisely the same manner; compare the 1919 “Spanish” flu

with Nimda (“Admin” spelled backwards).

Back in the 1980s, there was a hacker in upstate New York who used a library account with a university to spoof their identity

and then perform various hacking functions because the library was trusted within its own network. The library was trusted,

but the behavior of the hacker carried a signature that was capable of rapid identification and intrusion detection - data profiling

would have detected this before the damage was done.

The Internet is now the heart of most companies. But the Internet brings a multitude of threats and they cannot all be mitigated

simply by access control. Data auditing is central to figuring out the Five Ws: Who, What, When, Where, and Why.

After a crime is committed, the authorities only have forensic investigation at their disposal. They can ask what happened, but

they rely on patterns and evidence to lead them to an explanation. Environmental recordings and people’s memories are the

primary tool of the investigator to piece together what happened.


11

“Trust But Verify” – Trust Your Logs, Not Your PoliciesPolicy and procedure are the Snoopy blanket of many companies – they give a warm feeling but with marginal real benefit. If

you train employees on how to protect data and report on breaches, it is better than being without a policy. At the same time,

while an employee might violate policy, an application will not (absent being hijacked).

In contrast to Snoopy’s blanket, your computer logs are honest and impartial, cold and analytical. Argent for Security writes

directly to your servers’ logs with precise and specific details related to information access and usage. Those logs report what

employees sometimes do not: that they downloaded or copied information that violates policy.

The solider in the WikiLeaks case most assuredly was aware that policy forbade his activities. But, the log entries apparently

did not report what were his precise activities. The consequence of relying on policies and procedures in this case is absolutely

devastating.

Trust is sometimes misplaced, and not for obvious reasons. For example, an executive secretary might become ill and take

home sensitive correspondence, in violation of company policy, and not disclose this for fear of reprimand or dismissal. The

human conscience overrides policy in numerous cases. A log entry recording the transfer using Argent for Security would result

in an information security team able to intervene or at least protect the executive secretary by assisting them with extra support.

Whatever the remedy, it is not possible if no one knows about the breach of policy.

The expression from Victorian England, “Hell Hath No Fury Like A Woman Scorned” can be modernized as “Hell Hath No Fury

Like An Ex-Employee Scorned.” As a result, at any given time there might be policy breaches for any number of reasons. Very

few of the reasons involve compliance with policy. However, once again, logs store precious information that can immediately

alert the information security team.

Logs permit identifying correlations, trends and predictors. Correlations, trends and predictors are tools that make your data

secure. For example, log entries show that a number of flash drives are being used to copy data onto desktop systems from

laptop systems. This might be a predictor that there are issues with data transfer within the network or that remote employees

leverage both laptops and desktops, resulting in data compromise. Either way, the log entries can assist in your long-range

information security planning.


12

You need lots of arrows in your quiver – relying on a single set of prevention tools is not an ideal practice. A castle with secure

walls will be assessed and eventually the enemy will figure out that they don’t have to invade, but encircle it and capture anyone

going in or out. Eventually the castle will fall. Building a monolithic defense is not going to solve the list of long-term threats.

Threats adapt and modify themselves over time. Vigilant awareness of potential threats will always be a superior practice.


13

ConclusionSecurity of your information is a triad balancing confidentiality, integrity and availability. The vertex of confidentiality and

availability have been the focus of our discussion, more so than integrity. Confidentiality is most often the primary concern of an

organization, with availability the countervailing requirement that places confidentiality most at risk.

Confidentiality has many sound practices, including limiting the proliferation of data, encrypting it and otherwise restricting

access. Availability is much more common with the Internet and the ability of an average employee to employ multiple devices

for data processing. The modern employee might have a desktop, laptop, tablet PC and mobile handset.

One essential tool in your arsenal is Argent for Security. With Argent for Security, you can:

• Audit USB plug/unplug events

• Audit CD-ROM load/unload events

• Audit peripheral file creation, deletion, renaming and changes, along with tracking them against host devices

• Enter information directly into Windows event logs

• Create custom logic using WMI or PowerShell scripts

Why does it matter? Because if you think it does not, imagine how much it matters to the United States Government that the

200,000 leaked documents have become fodder for the civilized world for a period of months and likely years to come. All

accomplished by a single employee lip-synching to Lady Gaga while quietly violating policy and using a peripheral device to

obtain data to which he had no right, all the while under the visual scrutiny of peers. It boggles the mind that a single person

would be capable of so much damage to information security when the information itself resided on a supposedly secure

network with supposedly secure machines.

Lady Gaga and popular culture bring in peripheral challenges. For a song, a single soldier caused massive damage. Only

Change Is Constant – it’s a telling example of the power of new products and services to challenge traditional information

security methods.


14

It is a cautionary tale and one that deserves the utmost attention, lest you think it cannot occur within your own organization.

Ask yourself this key question: which you are more confident about, that a server will not allow an

unauthenticated employee to access data or that an employee will not leave the office with mission-critical

data in violation of a signed security policy?

It is foolhardy to create a Maginot line when the enemy has parachutes; Napoleon’s dictum applies again. It is also foolhardy

to believe that firewalls and routers are a bigger threat than your own employees. Appropriate monitoring and data auditing are

your most powerful tools, as opposed to building a high wall designed to withstand a spear and cannon attack. Each threat is

more effective than the last, and you still have to have a vulnerable entrance and exit.

Security technology needs an overhaul in light of modern threats. Enterprises are attempting to adjust to a world with iPads,

iPhones, Google laptops, and Android devices. Progress cannot be stopped and must be met with adaptability and flexibility.

Start now by auditing data and monitoring your environment effectively with Argent solutions, including Argent for Security.

With two decades of monitoring experience, Argent can have all your desktops and servers completely monitored in two or three

days, not months. And, in contrast to many vendors, Argent never charges for a Proof of Concept.

For more information and for a free Security Consultation with a trained Argent Security Engineer, please email

[email protected] or visit www.Argent.com.

Further Reading

www.wired.com/dangerroom/2009/12/not-just-drones-militants-can-snoop-on-most-us-warplanes

http://projects.washingtonpost.com/top-secret-america/articles/national-security-inc

http://projects.washingtonpost.com/top-secret-america/articles/a-hidden-world-growing-beyond-control

Note: ARB Intellectual Property Holdings Limited has created this document for informational purposes only. ARB Intellectual Property Holdings Limited makes no warranties,

express or implied, in this document. The information contained in this document is subject to change without notice. ARB Intellectual Property Holdings Limited shall not be

liable for any technical or editorial errors, or omissions contained in this document, nor for incidental, indirect or consequential damages resulting from the furnishing,

performance, or use of the material contained in this document, or the document itself. All views expressed are opinions of ARB Intellectual Property Holdings Limited. All

trademarks are the property of their respective owners.

Documents

Are You Safe From Lady Gaga? - files.ctctcdn.comfiles.ctctcdn.com/23e572b4101/0083bb9c-b280-4a0f-9... · Then, he plopped in the CD and would pretend to listen to songs like “Telephone”