While perusing through security articles on the internet, I came across this story that made me say, “Huh?” According to Roy Lundgren (United States Army’s Deputy of Cybersecurity), there exists a “major computer security flaw” that allows users to gain access to resources they are not supposed to see.
The article claims the following:
“The hack allows users with access to shared Army computers to assume the identities of other personnel, gaining their securities clearances in the process, and having their activity logged as that user.
In order to log into a shared Army computer you need to insert your personal Common Access Code military ID. Each card contains a chip that has the individual soldier’s permissions and security details, and which helps the military track your activity. Once you remove the card, you are fully logged out. But the hack overrides that system during the shut down period.
“There are instances where the log-off process does not immediately complete upon removal of the CAC. This occurs when the system is running logoff scripts and shutting down applications,” Lundgren told BuzzFeed. “The period of time that a system can be accessed following CAC removal before system logoff completes is normally not sufficient to gain unauthorized access.””
This is the part that made me scratch my head:
“The Army contends that instead of improving the security flaw itself, individual soldiers should make sure they are properly logged off. “The government and industry must manage numerous risks each day,” says Lundgren. “Often software and/or hardware solutions are not available, supportable, or necessary. In the case of many risks, they are managed via other mitigations such as modifying policy, procedures, or training.”
In response to the problem they are planning an “Information Assurance/Cybersecurity Awareness week” in October as a follow-up measure to their new handbook, released last February, which stresses the importance of individual responsibilities to protect information. According to Lundgren, the handbook “augments current policy, training, and inspection processes and aims to raise awareness and change culture.””
Sure, I don’t know the extent of the hack and what might be required to eliminate it, but having seen my fair share of bugs/weaknesses in software, my experience tells me that this type of flaw can and should be fixed. One sited reason could be the cost of the repair… but what is the cost of the “Cybersecurity Awareness week”? All the documentation that must be created… the organization of potential meetings to get the word out… taking time from many individuals to attend the meetings and then the added stress of not making a “human” error when a person does log out.
This is just one blogger’s opinion, but if there is the potential for a security breach and the company/organization knows about it, shouldn’t it be fixed? One of the greatest attributes of software is that it is run on a computer and computers do not make “human” mistakes. I plan to do more research on this, but would be very interested to know… What is your take on this topic?