Information Security Matters: Advanced Security for Secret Information

Author: Steven J. Ross, CISA, CDPSE, AFBCI, MBCP
Date Published: 30 April 2021
Related: COBIT Focus Area: Information Security | Digital | English

No matter how small, every enterprise beyond a lemonade stand has some form of a security program. Even someone with a one-person business probably has a personal computer with Internet connectivity, and that PC undoubtedly has a firewall, antivirus software and password protection. (If this applies to you and is not true, stop reading this article and go get those things!) As I have been saying in previous articles, there is a good chance that your organization has some information that, at least for a period of time, is considered to be secret.¹^,²

It is in the nature of secrecy that some parties without authorized access to the information in question have heightened incentive to try to get it. I propose that the security measures put in place to protect all other information, including that with privacy considerations, are insufficient for secrets. (In the public sector, many of these are referred to as state secrets and in the public sphere as trade secrets.) There are legal penalties for breaching their secrecy, but in many cases, these are unavailing once the information has been stolen.

So just as the bad guys³ have a higher interest in stealing secrets, so information security professionals need to apply what I term “advanced security” to prevent thefts. Advanced security, as I see it, incorporates all the controls used for information in general, plus many that are used to keep personal information private, and then even more for secrets.

Encryption

It goes without saying that secret information should be encrypted. Then why am I saying it? Because encryption is far from universal. So to add another dictum that should not need saying, any electronic information that is not encrypted is not really secret.

However, this statement by itself does not take the nature of the adversary into account. If I am trying to keep the birthday present I bought my wife⁴ secret from her, I can store the receipt on my encrypted computer. But if the information in question has extreme military or commercial value, then the nature of the bad guys gets scarier. The armed forces have long been subject to this sort of risk. Recently, governments have also been accused of attacking systems in other countries’ private sectors.⁵ If, for example, the secret is a cure for COVID-19, it might attract a great deal of international attention. Let us further suppose that the information is encrypted with the strongest currently available algorithm. Confidence in that algorithm rests on the assumption that it cannot be broken. But can anyone be certain that the Chinese Ministry of State Security, Russia’s Special Communications and Information Service, or the US National Security Agency cannot decrypt information protected by the Advanced Encryption Standard (AES) or the Rivest-Shamir-Adleman (RSA) cryptosystem? Maybe they can; maybe not. But if the secrets are important enough, with governments getting into the cyberattack business against private industry, encryption alone may not be enough.

Vaults and Guards

Sometimes the old ways are the best ways. One solution for keeping secrets secret is to make them inaccessible remotely and then store them in a strong vault⁶ with an armed guard outside. Probably the most famous example of this approach is the vault used by the Coca-Cola Company for its much-vaunted secret formula for Coke.⁷

For most information security professionals, the practical part of this approach is making the information inaccessible: no Internet; no local area network; maybe a locked cage within a restricted-access data center. Maybe two locks, with two people each entrusted with one key. The degree to which the level of physical protection makes sense is completely dependent on how important the information is and how far a thief might go to obtain it.

Note that this determination is nonprobabilistic; the risk is not equal to impact times probability. Rather, the risk is a function of impact, which, by definition, is high or the information would not be secret, as is the degree of effort both to protect it and to breach the protections. Few organizations are holding information of such enormity, but the combination of technology, ideology and simple bribery may make the level of effort quite low even for lesser secrets. Thus, the need for advanced security is extending into domains, especially in the nondefense private sector, where it has never been encountered before.

Extended Monitoring

Monitoring is widely understood to be an essential part of information security. In most cases, this entails watchfulness for attempted or actual unauthorized access to protected resources. As with much involved with protecting secrecy, this sort of monitoring is necessary but insufficient. Advanced security calls for oversight not only of protection but also of trust.

Seemingly contradictory, secrecy requires someone to have access to information. Therefore, advanced security goes beyond prevention of unauthorized access and includes controls over authorized access as well. Those who should have access to secrets need to be closely vetted.

The chief executive officer (CEO) should be privy to all information within an enterprise, but he or she cannot be the sole recipient of all secrets. Those who need secret information in the course of their routine job functions should have access to it. Sadly, there have been a number of recent incidents in which authorized insiders have been the instigators of breaches of trade secrets.⁸ Deep background checking is routine for Top Secret authorization in government, and similar vetting should be for those needing such access in the private sector as well.

ADVANCED SECURITY GOES BEYOND PREVENTION OF UNAUTHORIZED ACCESS AND INCLUDES CONTROLS OVER AUTHORIZED ACCESS AS WELL.

Even authorized access to secret information should be monitored. If someone takes information out of that previously mentioned vault or its electronic equivalent, when did it happen? Why was it used? When was access authorization terminated? Was there a legitimate business reason for obtaining the information? And above all, what was done with it? We are accustomed to thinking of cyberattackers as external threats. Sadly, authorized insiders may be threats as well.

This sort of monitoring may seem very intrusive, and it is. Information security professionals are familiar with the concept of zero trust, the essence of which is that nobody is trusted. To be a designated keeper of secrets, a person has to be ready to put up with some intrusiveness. It goes with the job.

Endnotes

¹ Ross, S.; “Secrecy and Privacy,” ISACA^® Journal, vol. 1, 2021, https://www.isaca.org/archives. In this article, I distinguish between information with privacy implications and those where secrecy is the concern.
² Ross, S.; “Keeping Secrets,” ISACA Journal, vol. 2, 2021, https://www.isaca.org/archives
³ This, as far as I am concerned, is the proper technical term. I refuse to dress them up with fancy phrases such as “threat actors,” which glorify them like characters in a James Bond flick.
⁴ For the record, not all those who might obtain secrets are “bad guys.”
⁵ In the United States, much attention has been given to Chinese incursions on Western pharmaceutical companies’ vaccine research. See Nakashima, E.; D. Barrett; “US Accuses China of Sponsoring Criminal Hackers Targeting Coronavirus Vaccine Research,” The Washington Post, 21 July 2020, https://www.washingtonpost.com/national-security/us-china-covid-19-vaccine-research/2020/07/21/8b6ca0c0-cb58-11ea-91f1-28aca4d833a0_story.html. In the United Kingdom, more attention has been focused on attacks from Russia. See Rayner, G.; “Russian Hackers Attempted to Steal UK’s COVID-19 Vaccine Research, Downing St Says,” The Telegraph, 17July 2020, https://www.telegraph.co.uk/politics/2020/07/16/russian-hackers-attempted-steal-covid-19-vaccine-research-downing/. Not surprisingly, the Chinese press (or at least the English-language versions) see it differently. See Wang, Q.; “US Accusations of Vaccine Theft ‘Absurd,’” China Daily, 18 July 2020, https://global.chinadaily.com.cn/a/202007/18/WS5f123a07a31083481725a64b.html.
⁶ I am deliberately excluding encrypted data vaults (EDV). Aside from the admittedly extreme case of the potential shortcoming of encryption described in the previous section, EDVs are intended for use as “a privacy-respecting mechanism for storing, indexing, and retrieving encrypted data.” I agree that EDVs are a reasonable solution for a frequently encountered problem, i.e., data storage at a third-party provider. The issue of secrecy in some cases raises the possibility of protection against what is in most cases an unreasonable level of threat. See Longley, D., et al., “Encrypted Data Vaults 0.1 Specification,” https://digitalbazaar.github.io/encrypted-data-vaults/
⁷ World of Coca-Cola, “Vault of the Secret Formula,” https://www.worldofcoca-cola.com/explore/explore-inside/explore-vault-secret-formula/. The formula is described, with perhaps a bit of excess carbonation, as “the most closely guarded and best-kept secret.”
⁸ Mueller, “Protect Trade Secrets From Insider Theft,” December 2017, https://www.muellercpa.com/newsletters/protect-trade-secrets-insider-theft

Steven J. Ross, CISA, CDPSE, AFBCI, MBCP

Is executive principal of Risk Masters International LLC. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at stross@riskmastersintl.com.