17 June 2018
Report “China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare” (1) published on 8 June 2018 in the Washington Post is really worth reading.
Attacks on the supply chain have become more common in recent years. Contractors are e.g. used as gateways to the customer network or customer information is exfiltrated from the contractors network.
The latter is the case here. The product development is outsourced. The information required for product development is available only in the contractors network and, in the worst case, remains there after handover to the customer.
Under normal conditions this is not critical. But when it comes to national security matters, e.g. in product development for defense agencies or for critical infrastructures, this may end in a catastrophe.
Picture credits: Wikimedia
In such cases proper classification of the information handed over to and created by the contractor is of crucial need. Since many contractors run an information security management system, the selection of protective measures is based upon the proper classification.
At least 614 GB of data were obviously not properly classified since “highly sensitive data related to undersea warfare” was stolen from the contractor’s unclassified network.
It is always good to remember Aristotle’s proverb “The whole is greater than the sum of its parts” when it comes to classification of information.
Have a great week.
1. Nakashima E, Sonne P. China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare. Washington Post [Internet]. 2018 Jun 8 [cited 2018 Jun 16]; Available from: https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html
4 October 2014
The crux of the matter with complex application systems is, that they are composed of lots of components which communicate which each other. Most of the users, and sometimes even the IT application administrators, associate a single component, e.g. the web-service they use with their browser application, with the entire application system.
When it comes to information classification this limited view prevents the identification of the really important components, namely those where the critical information is stored and processed. As a result money is wasted for the protection of less relevant system components while critical components remain unprotected.
In these cases the development of a threat model will lead to a far better understanding of the application system.
Just start with the user’s view of the system. Arrange meetings with application developers and administrators, key user’s, system architects and administrators. Show them your model and ask them to add more details. After some time you will get a more detailed model and a much better understanding of the application system, the really important components and the information flow between the components.
Light Bulb Moment
On Wednesday I had such a light-bulb moment. We discussed information stored in an EH&S system. From this system Material Safety Data Sheets (MSDS) are created for shipment of dangerous goods. The carrier receives a copy and has to show this copy to the authorities on request. Why should we keep this information secret?
After some discussions we identified the system component where the really important information was stored and managed. The EH&S system holds only an extract of the information which is required to create the MSDS.
The threat model was of great help in this case. As soon as we added the new component the STRIDE approach showed us the direction to a stronger protection of the critical information.
Have a good weekend.