It seems like we should be able to. The lessons are obvious,
but the application may not always be so clear. The same threat methodology
applied credit cards, customer data bases, and financial transaction websites
exist for the defense industry. The products may be diverse, but the result is
usually the same; very sensitive information is released and those slow to
react are in the business of performing damage control.
Last December, Target shoppers were disheartened to
discover that their private information became available to bad guys as a
result of some pretty detailed scheme to get that information. Now these
shoppers 'credit information is vulnerable, threatening possibilities of data
theft many times over. Many, such as my family, suddenly found ourselves in
possession of newly issued credit cards as our banks cancelled suspect credit
cards in response to the data breech.
According to the article in the Wall Street Journal, Target Says Hackers Used Credentials from Vendor,
it wasn't even Target's mistake. Further reporting determined that a vendor for
Target transactions actually were the targets of the hacking. They were the
ones exposed and leaking the Target customers' sensitive information.
In another article in the same issue of The Wall Street
Journal, Cruel Letter Shows Big Data Gone Bad is taking heat for mailing information to"Mike Seay Daughter killed in car crash." Once again, Office Max was not the
culprit of hacking, but the victim of an irresponsible vendor hired to mail information,
using a poorly vetted mailing list.
Those in the defense industry understand the
responsibility of protection sensitive information at all locations. Whether prime contractors or 5th level
subcontractors, the requirement to protect sensitive information falls equally
at each location. Classified, OPSEC, personal Identifiable information, for
official use only and other sensitive information protection is a defense
contracting and acquisitions requirement. What is not dictated is the exact countermeasure
to use leaving each location to apply their best practices in an ala carte
approach to applying any of a list of approved protection measures.
The application here is that the prime contractor may not
be the primary target of scams to get sensitive information. As learned in
these Wall Street Journal reports, hackers may target vendors and
subcontractors that are easier to get to than the perhaps better prepared prime
contractors. The defense chain is only as strong as the weakest link. The same
sensitive information should be protected with equally effective
countermeasures, training, and awareness no matter where it resides.
Facility Security Officers and security professionals
should review contracts requirements imposed by customers to determine
protection requirements. As such, don't just read the DD Forms 254, but engage
the entire contract to include statements of work for all acquisition
transactions. This includes design, engineer and security specifications. How
else will one truly understand what is required by the customer? At the same
time, what requirements does the organization flow down to teaming vendors and
subcontractors?
Specifying security requirements leaves less to chance.
If Target either specified how vendors shall protect customer information, OR
worked only with vendors that are known to protect customer information with
the same strict controls as they themselves employ, the data breech may have
never happened. Until each teaming unit employs the same protection measures to
protect the same information, there will always be a weaker link.
For more ways of setting up a security system in a
Cleared Defense Contractor, see Red Bike Publishing's book, DoD SecurityClearance and Contracts Guidebook
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment