Access Governance Failure At DoD

 digg it |   delicious |   StumbleUpon |  reddit 

Interesting to see that access governance control failures are continuing to happen at all levels in the Federal Government.

http://www.wired.com/threatlevel/2009/09/montgomery/

Intelligence Analyst Charged With Hacking into Top Secret Anti-Terror Program

An analyst at a Defense Department spy satellite agency faces federal hacking charges after allegedly poking around in a top-secret system used in a classified terrorism investigation involving the FBI and the U.S. Army.

Brian Keith Montgomery worked on a covert program for the National Geospatial-Intelligence Agency - the spy agency in charge of satellite and aerial image collection. On April 9, he was carrying out his duties when he saw a message that "provided significant detail about a classified operation" that was unrelated to his job, according to an affidavit filed by a Pentagon investigator in the case.

According to the government, Montgomery ignored a security warning in the message he saw, and twice logged in to a classified system used in the terrorism investigation: first on April 9, when he stayed on for two hours, and then on April 14. He'd gotten the password from another classified message to which he also had legitimate access.

Curiously, just by accessing the system, Montgomery endangered the terrorism investigation, and "caused harm to the U.S. Army and the FBI," according to the affidavit by Dexter Wells, an agent with the Defense Criminal Investigative Service.

Montgomery's alleged motives are unclear, but he told DCIS that he was very interested in the information in the program, Wells wrote. Montgomery also told investigators that he'd thought he was allowed to log in to the system, and hadn't noticed a warning saying that only officials participating in the operation were allowed to use the password.

"It was not until I was called on the carpet, that I went back and read the warning notice in the message traffic," Montgomery allegedly told DCIS.

The nature of the system at issue is not clear, but it was used from all around the U.S. as part of the terrorism investigation, and was being monitored by the FBI at the time of his alleged access. That's evidently what led to the probe of Montgomery, who worked at a National Geospatial-Intelligence Agency facility at Fort Belvoir in northern Virginia.

There are no allegations that Montgomery did anything with the information he obtained.

 ###

We see too major issues here:

1. As we have seen in numerous employee snooping incidents, such as at the US State Department, hoping that users within the enterprise will remember access policies that live in a three ring binder on the IT Security organization's bookshelf is wishful thinking.  Putting a warning in a message that states that only authorized system users who are working on particular case or project should be logging in to view the information is not an effective access governance control.  Controls need to be automated to ensure that policies are enforced in a consistent fashion across the entire enterprise and all legitimate users.  In this situation, I wouldn't hold the employee accountable for snooping as there we no real controls for limiting access. The DoD is responsible for enabling this situation to occur as they knew the likelihood was high that some users did not have a legitimate reason to access the information, which is why they put the warning in the message.   

2. There appears to be no access governance framework in place at the DoD based on the news reports of this event.  If a user is authorized with credentials to log into the system as part of performing their job function, controlling what they can and can't do requires access administration capabilities that far exceeds what a system account password provides.  Controlling access is best done at the entitlement level, which is where the specific access rights are assigned to a person and the determination is made for what they can or shouldn't be able to do within the system. Had the DoD leveraged an dynamic access governance control framework they could have avoided this situation by administering access using role attributes.  This approach enables user entitlements to be assigned based on a case log or project assignment code that would map to a particular user's task or process role within the department. This would make the determination of who is, and is not, authorized to view specific content based on the work they have been assigned.