it was re-enabled because the officer in charge told the systems administrator to go do it. It's not like the OIC went in and did it himself. Also the computers are locked in the building and locked shut. to open one up without authorization would be pretty obvious. Usually there are 2 SA's both with half the combo's so they can't access anything alone. If you came in at night to do it, the then night log has you as being there because you would need special permission to be there after hours. Anyone of these things failing is a failure to follow policy by the people in charge. The policies are pretty inclusive about almost every detail of information security right down to user management and physical access as well as the actual physical security of the building. I've actually written two of such plans and they are really long and technical. They designate what kinds of lock are used, who has control of the combos, who has permission to be there. Also there is a thing called two person integrity where you have the whole work center divided into two groups and each group has half the combo to get in, so two people always need to be present to physically access the building. So in response to your statement it is highly unlikely that if the policy was followed you would be able to do any of those things. Especially since you would probably never be alone not to mention you would be logged in as having accessed the space while the event occurred so yes you probably could be a sacrificial lamb if you had no regard for your own future. All in all you would have to convince people to break the policies to do the things you want to do.
The point of my entire perspective is that people are the weak link in most situations, security get defeated because people don't do what they are supposed to do. This is why wikileaks happened. Someone created a loophole in policy to make their life easier and it got exploited, or security culture broke down and people stopped following it when they closed the door and no one was looking. The problem is people not following protocol, not the policy.
So basically, say you are the systems administrator, your boss comes to you and says " I need to be able to transfer word documents from home to work on my USB stick because it saves me time." You reply,"Sir, that's not possible all USB slots are disabled by policy." Then he says,"I know, that's why I've re-written the policy, and since I am responsible for everything here, I take responsibility for this and sign this policy into an order." You say,"Um, ok then." You then find the other person who has access and re-enable all the USB Slots. 2 years later that Guy has moved on and someone walks out of the building with a USB stick full of documents because, since the it's an abnormal policy, no one has written a procedure to control USB sticks like say, they do for Floppy disks. It's funny I remember putting documents on a floppy disk and following a painstakingly thorough procedure to check for classified info while sitting next to a guy transferring music files on and off his iPod. It's like being the guy going through the security check point while everyone else walks through the big open garage door in my earlier example.
While these things do not leave you with "Absoulute Security", you at least need to be following them to a point where you can say the policy is at fault, and not the people not following it.
That actually is a great policy. Sounds to me like the major problem is that a non-technical person was able to overrule a technical person on a technical issue. The system administrators should be the highest authority when it comes to the systems they are administrating. Was the commanding officer who gave the order a computer person? I'm guessing not. Non technical people should have no authority to make technological decisions. We have enough trouble with judges, lawyers, and lawmakers fucking it up already.
Yeah that's pretty much exactly the problem. I would say that the SA shouldn't be the person with all the power, but maybe some who had been an SA at one point in their career. Like create a career track that goes up through security starting at like help desk --> SA--> Security Officer ---> Security Manager
US government stuff is locked up pretty tight, the problem is when some ass hat decides he or she needs to rewrite the policy that they have authority over to make their life easier
I agree with you so much it hurts. Real security is a pain in the ass, and people in power who aren't willing to put up with the annoyance don't deserve the power.
the major problem is that a non-technical person was able to overrule a technical person on a technical issue
Side note - didn't Manning not use a USB stick, but rather brought in some CD/RWs with music on them, erased them, and then burned the files to them?
I don't know exactly what he did. But as we were discussing, there should be no physical access to the computers. Just keyboard, mouse, and monitor. Everything else should be locked up. For him to have access to the optical drive is already a huge failure. For the optical drive to be a burner is another failure. If security is priority #1, if you don't need a burner, don't have a burner.
Comments
The point of my entire perspective is that people are the weak link in most situations, security get defeated because people don't do what they are supposed to do. This is why wikileaks happened. Someone created a loophole in policy to make their life easier and it got exploited, or security culture broke down and people stopped following it when they closed the door and no one was looking. The problem is people not following protocol, not the policy.
So basically, say you are the systems administrator, your boss comes to you and says " I need to be able to transfer word documents from home to work on my USB stick because it saves me time." You reply,"Sir, that's not possible all USB slots are disabled by policy." Then he says,"I know, that's why I've re-written the policy, and since I am responsible for everything here, I take responsibility for this and sign this policy into an order." You say,"Um, ok then." You then find the other person who has access and re-enable all the USB Slots. 2 years later that Guy has moved on and someone walks out of the building with a USB stick full of documents because, since the it's an abnormal policy, no one has written a procedure to control USB sticks like say, they do for Floppy disks. It's funny I remember putting documents on a floppy disk and following a painstakingly thorough procedure to check for classified info while sitting next to a guy transferring music files on and off his iPod. It's like being the guy going through the security check point while everyone else walks through the big open garage door in my earlier example.
While these things do not leave you with "Absoulute Security", you at least need to be following them to a point where you can say the policy is at fault, and not the people not following it.