Cyber / Information Security can’t be that hard, can it? The guidelines are available, the principles are available, the regulations exist, and if you’re in the government, the NIST docs and FISMA exist, too. I teach my students in our Cyber Security I (Fundamentals of Information Security) course that if you need to secure your business, there’s no better place to start than to use the NIST 800-series docs as a guideline. And yet, as described in the New York Times article on the Chinese hack into the Office of Personnel Management, a lot of the basic principles were violated. Some of which were:
- Failure to inventory computers, especially laptops containing sensitive information (or even those that didn’t contain that kind of information)
- Failure to require secure passwords, and to change those passwords regularly, according to a schedule
- Failure to install the necessary security & update patches
- No firewall set up, and no Intrusion Detection and Prevention Systems (IDPSs) set up
- Failure to encrypt data
- Failure to monitor the network (again, IDPSs would be one component of doing this)
All of these precautions are not only in the textbook we use for our first Cyber Security course, they’re in the NIST docs that the government requires its personnel to use as guidelines for managing information security. It’s just astounding that the very principles set forth by the federal government for their own agencies to use, very valid principles, were not followed by a governmental agency.
Perhaps the students we graduate from our program at Armstrong will go into government service and help straighten them out.
It was announced today in SearchSecurity.com that encryption tool True Crypt had shut down Open source software, the implication is far-reaching for multiple reasons:
- While TrueCrypt developers won’t confirm or deny that their open source software had been hacked, TrueCrypt’s demise means that more users who want to employ open source software as a less-expensive means of providing encryption/security solutions may have to look to more expensive proprietary software. This will make any user skeptical of using any open source software in the future.
- The article hints that the one of the issues with TrueCrypt, over time, has been that the authors of the software have remained anonymous. This is indeed a concern – the user community is entitled to know who is writing the software in order to verify its authenticity and reliability. If the authors won’t identify themselves, how reliable can their work be?
- True Crypt purported itself to be secure, so much so that its use is promoted in Information Security textbooks, and as a professor who teaches IT and IS, I have taught it to my students. Now I will have to switch over, almost certainly to the proprietary BitLocker, installed on Microsoft operating systems. The instructions on how to migrate to BitLocker are here, on, of all places, TrueCrypt’s own site (what’s left of it).
- Some hardware devices actually use TrueCrypt to provide encryption services. I own a LaCie USB key that contains an encrypted drive, it’s encrypted by TrueCrypt. I’ll keep using it, but now I’m suspicious. In the meantime, manufacturers such as LaCie that use it are going to have to migrate to another encryption tool.
- While I don’t use TrueCrypt to encrypt an entire system drive on my home PC, I do use it to encrypt a file container of secure personal documents and files, and so I’ll have to migrate those files to BitLocker, which probably won’t be that difficult. TrueCrypt’s instructions seem easy to follow.
The biggest blow from TC’s announcement is to the open source community, TC’s community of users, and instructors like myself. It will be interesting to see how textbooks and instructional material are updated in the future.