Posted on May 22, 2014
Has the Military fallen behind in Information Security?
5.35K
3
1
1
1
0
Our BDE/NEC is standing up a new file server due to a number of security vulnerabilities and permissions problems on the current one. In the process of doing so, they have created shares of folders. In thinking about the principles of IS I learned almost a decade ago, I realized the problem will still not be fixed. The BDE has insisted that they have access to every folder. On the surface, and for most things, there is no problem. However, if a SHARP VA or Chaplain stores information, which would be encrypted and restricted, people that should not be privy to the data would still be able to access it.
Here is one of the ideas I had:
Create a new group that has absolute administrative rights. Add 2 or 3 user to that group. Those users would each have a token. A token separate from their SA/OU/IMO token. They cannot know the PIN. The PIN is held by 2 other individuals, who may not possess the token at any time. If one person is every found to possess both the PIN and token they are given a GOMAR & prosecuted under UCMJ. I know this sounds overboard on some levels, but we haven't seemed to have learned our lesson on minimum necessary permissions. Too much PII resides on shared drives and while those folders are encrypted, that doesn't do any good if there are more people with permissions than needed.
Another part of this is that with Windows Server, there is no reason to actually have a file share. You can use group policy to map drives based on a file path. That would allow a user to NOT have read access on the parent folders. I did voice my concerns to my signal office and they are going to forward them up.
To you signal and NEC folks: Am I crazy? Does the rest of the Military do this and my base is just behind the times?
Here is one of the ideas I had:
Create a new group that has absolute administrative rights. Add 2 or 3 user to that group. Those users would each have a token. A token separate from their SA/OU/IMO token. They cannot know the PIN. The PIN is held by 2 other individuals, who may not possess the token at any time. If one person is every found to possess both the PIN and token they are given a GOMAR & prosecuted under UCMJ. I know this sounds overboard on some levels, but we haven't seemed to have learned our lesson on minimum necessary permissions. Too much PII resides on shared drives and while those folders are encrypted, that doesn't do any good if there are more people with permissions than needed.
Another part of this is that with Windows Server, there is no reason to actually have a file share. You can use group policy to map drives based on a file path. That would allow a user to NOT have read access on the parent folders. I did voice my concerns to my signal office and they are going to forward them up.
To you signal and NEC folks: Am I crazy? Does the rest of the Military do this and my base is just behind the times?
Computers
Computer Network Operations
Posted 10 y ago
Responses: 1
0
0
0
I feel it has to some extent. I cannot speak for it. I feel rather the military is catching up. The problem is that many of the Soldiers are trained on too many things. I remember in 2002 how I had yahoo installed on govt computers and utilized FTP. We have come a long way, but the military is slow to adjust. I think the focus on cyber will enhance overall, but I feel this will not be moving fast enough until 2020. Soldiers also need more direct training and have to become more specialized. Sadly, the certs alone are not enough. They need real hands on.
(0)
(0)
Read This Next
Continue with Facebook 
Continue with Google