From: Adam Shostack
To: IJB; Ian)
Subject: Human failability (Was FW: NCSC and modern ratings)
Date: 28 July 1994 18:12
Ian JB wrote:
| During Operation Granby/Desert Storm, an RAF officer stopped off on the
| back from briefing the Prime Minister and went to look over some used
| Unfortunately he left his laptop computer, holding the complete battle
| and troop dispositions, in his vehicle. While he was away someone broke
| the vehicle and stole the laptop computer. Until that time MOD had never
| considered it important to add security to laptop computers because there
| were strict rules governing their use. In this case the officer had an
| escort, radio communication to back up units and the vehicle should not
| stopped, much less been left unattended with highly classified data on a
| very portable computer. No technology can protect against that sort of
While humans are often failable, there are technological
solutions to many problems. In the case of laptops, a locking program
to control access to the machine is a good first line defense. There
exist encryption programs to protect sensitive files.
It is also possible to encrypt entire (DOS, Unix) filesystems
with very strong encryption algorithims, and I believe that there are
also OS/2 and Mac volume encryptors as well.
Had the laptop with 'complete battle plans and troop
dispositions' had an encrypted hard disk, the possibility of the data
being stolen would be reduced, and the theif would probably have had
to try password guessing to crack things.
Adam Shostack adam @
Politics. From the greek "poly," meaning many, and ticks, a small,
Adam is correct there is technology out there aplenty.
DOS/Windows/OS-2 are all covered by dozens of products, many of them very
cheap. There is also a growing army of products in this area which are
certified in Europe under ITSEC at F-C2/E2. Many are based on product which
is almost as old as DOS.
The fact is that very few people bother to use products of this type, even
The MOD solution to the idot who lost his laptop was to spend a fortune on
removable hard drives in the happy assumption that no one would be stupid
enough to carry HD and machine together. What now happens is that some idots
carry a laptop and a box full of hard drives and leave the lot unattended.
What is important to understand is that most military folk have to follow a
security rule set which is imposed on them. If the data is at a particular
classification level, protection has to match and the porducts have to be
EVALUATED and CERTIFIED under a criteria that the particular government
subscribes to. The resulting system then has to be ACCREDITED. DOS type
security products do not reach a high enough standard to protect most
CLASSIFIED data. In this situation the military says - ok the machine never
leaves the sight of a large man with an even larger gun.
The real lesson, which applies to everyone using any form of IT system, is
that appropriate security can only be provided if an adequate Risk Policy
has been produced and implemented. Once implemented, that Policy must be
maintained to screen for changing threats and operational requirements. Even
then, security is not adequate unless it is ENFORCED.
>From experience of reviewing security for a range of users, most folk do not
do the job correctly. This creates a whole range of problems. The greatest
is that because something has been done there is a false sense of security
which can increase risk considerably. The most visible is that funds have
not been well spent and the system may be unusable for a number of people
for the purpose it was originally installed for. Good security is a system
where risk has been reduced to a level acceptable to the particular user
which means addressing ASSURANCE, INTEGRITY and AVAILABILITY. Even two
groups in the same organisation may have different requirements to match
acceptable security to operational needs.
Sometimes its Soloman's judgement. A security officer may chain all the Fire
Escape doors to protect against access by thieves. The Safety Officer may
want no locks to ensure that his risk reduction of containing fire and
getting people out of a burning building is achieved. Users may wedge the
doors open because they are too lazy to use other routes and subvert both
the theft prevention and fire prevention elements of the Risk Policy. When
the fire alarm sounds folk may continue to work on and ignor the alarms. The
same principles hold for IT systems of all types. It really is not a
question of a lack of technology, but of fiscal policies and human
error/failings. In spite of a mass of technology which has been available
for many years, advice from law and fire specialists, pressure from
insurance companies and testing systems for products, people still get
killed in fires in public buildings, offices and factories.