Security Fails of 2009 – The Marine One Breach

As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009 in hopes that we can learn from the mistakes of the (recent) past.  So without further adieu, here is the first of the Security Fails of 2009. 

In early March it was reported that the detailed plans for the refresh of the Marine One Helicopter used by the President had been compromised.  Soon after, detailed data about the new Joint Strike Fighter were also compromised.  Both incidents were traced back to peer-to-peer software that was exploited to get to the data. 

These high profile incidents catalyzed some interesting dialogue about peer-to-peer applications in specific and unauthorized applications in general.  There was an immediate rush to unilaterally remove all peer-to-peer software from endpoint computers without any qualitative analysis of what other contributing factors led to the loss of sensitive data.  Such baby with the bathwater thinking never leads to true progress, and my guess is that peer-to-peer applications have proliferated, not decreased through the year.   In fact, an article in CIO magazine cited a study that showed that “an average of six peer-to-peer applications were found in 92 percent of the organisations surveyed”.

A much broader and constructive dialogue emerged around the control of unauthorized applications.  Whitelisting has emerged prominently in 2009 as everyone comes to terms with the continued challenges of antivirus software in keeping up with the evolving threatscape.  But for whitelisting to be effective – actually block unauthorized applications – the organization must be in lockdown.  Otherwise, the endpoint user becomes the greylist administrator and is asked to make a decision to block the software that is suspect.  This is where my cynical nature kicks in because in many cases it is the user that initiated the install, and heck yes they want to proceed.  Alas, whitelisting joins the distinguished list of “not the silver bullet”.

The dialogue also causes investigation of personal use policies for company endpoint machines.  It has become broadly assumed that the computer provided by the employer is an open invitation to load just about any software the user desires.  Obviously this has enormous consequences in regards to surety readiness and risk.  I have no hard statistics for you, but I can offer an interesting anecdote.  Triumfant detects and catalogs all of the applications running an organization’s endpoint population.  When we install our software we often ask the customer what would be their worst guess as to how many applications they have in their environment.  Then we run our application inventory report and show them the actual count.  For any customer that allows for personal use, the number on the report is normally a minimum of ten times of that worse case guess.

The Marine One fail brought the unauthorized application conundrum squarely into the spotlight.  For the DoD and the intelligence community, they have already locked down their environment, but the Marine One plans were leaked from a contractor’s machine, so the wall is not airtight.  The more vexing question comes for commercial organizations competing for talent in the market, as the use of a PC has become an expected perk of employment – the genie is already out of the bottle.  As a result, the IT security folks who already have their hands full protecting the corporate treasures from the bad guys must deal with the increased risk from applications that are loaded by their own employee peers.  Add to the problem the growing use of social media applications and this problem brought to light by the Marine One fail is clearly not going away as we close the year.