In January 2008, the Office of Management and Budget (OMB) instituted a security initiative called the Federal Desktop Core Configuration or FDCC. FDCC is comprised of about 300 settings on Windows PCs. The objective is to create a standard federal desktop configuration that eases operations and improves security. All Federal agencies were required to implement FDCC settings by February 4, 2008.
Fast forward to October 2009. The Washington Post breaks a story on a pending investigation of 30 lawmakers by the House Ethics Committee. Information about the Committee probe was inadvertently leaked from a Junior staffer’s PC via peer-to-peer file sharing software (ex. BitTorrent). Someone anonymously accessed the file and then forwarded it to the Post.
These two events illustrate part of the complex problem we face with data security. The feds went out of their way to define a Windows configuration that was “secure by default,” yet a Junior staffer was able to either access a confidential file from an insecure computer or install peer-to-peer software on an FDCC-compliant system.
At a high level, here are some of the problems associated with this episode as well as potential ways to address them.
1. Data classification. The confidential file that leaked may not have been properly classified as such. This is a very common occurrence — employees have no idea that the data on their PCs may be private or regulated so they treat confidential documents the same as photographs, music, and other documents.
Possible solution. Improved data discovery and classification. Extensive and continuous user training. DLP/eRM software. Data encryption.
2. PC administration. While FDCC provides secure PC provisioning, users may be able to download and install vulnerable software and thus open doors to the outside world.
Possible solution. Lock down configurations and avoid giving users administrator privileges. Log changes to PC configurations and generate alerts when rogue software is installed. Create and enforce an application white list. Educate users.
3. Data leakage. The Junior analyst may have wanted to work at home so she innocently saved a confidential file on a portable storage device and then installed it on an insecure system.
Possible solution. Port controls, restricted use of portable media (i.e., authorized encrypted devices only), DLP/eRM software, user training.
I have no idea whether the Junior staffer in question had an FDCC-approved PC configuration but in this case it doesn’t matter. The leak was a combination of poor PC administration, a lack of specific data security controls, and either non-existent or incomplete user training.
This is a great example of the old saying that security is a process and not a product. The FDCC is a great start but it needs to be surrounded by a culture of secure IT administration and regular user training. Without these other changes, we should not be surprised with the continuous epidemic of data breaches.
