Using SharePoint for classified documentation --->
A US Department of Defense staffer with top-secret clearance stole the identities of dozens of people from a work SharePoint system to apply for loans totaling nearly a quarter of a million dollars. Kevin Lee, 41, of Chula Vista, southern California, pleaded guilty on Wednesday to wire fraud. Lee, who worked for Uncle Sam's …
When you use the classified networks at the DoD you basically remote desktop in from the unclassified network, or at least that was my experience when I consulted for the Defense Logistics Agency about 15 years ago. Security is enforced by the fact the network is isolated aside from those gateways. Actual routing between classified and unclassified outside of that is likely extremely limited (I wasn't exposed to that end of it) and I very much doubt anything at all can reach the internet directly from it, let alone be allowed in from it.
So it doesn't matter so much if they use something "insecure" on the classified network, as they are more reliant on the vetting they do before handing out security clearances - and moreso the penalties for violating them since that vetting is far from perfect. I'm sure there is tons of monitoring of what you're doing, which while also far from perfect is also more of a "I don't even want to try anything because I'm afraid of the consequences if I got caught" sort of deal. I was very careful to never look at anything I didn't need to and knew I was entitled to!
Also I was only exposed to Secret and Top Secret levels, there are all kinds of special classification levels above that which are probably only accessible on a DoD installation or some cases from SCIFs that are basically locked and guarded Faraday cages where the REAL secrets are kept. I can't really speak to that end as I only know what I was told by others who had been involved with it, it sounded like way too much of a pain to me! I think classification works like grade inflation, so few real secrets are kept at the standard levels, everything that matters is above Top Secret. I mean, IP addresses of individual servers were classified "Secret" just to give you an example of the silliness - what I was doing didn't expose me to ANYTHING I would consider important to the security of the US, though obviously whoever classified those things had a different opinion.
You might do a little exploring on a typical corporate network, but with all the paperwork you sign promising long prison terms when you get a security clearance to access a classified DoD network, you don't fuck around if you have half a brain.
> Security is enforced by the fact the network is isolated aside from those gateways
So it is (or was) like a ship without compartmentation (https://en.wikipedia.org/wiki/Compartment_(ship)).
This time the DoD was lucky - it wasn't espionage.
Compartmentation - lots of inner locks requiring individually assigned passwords to open - is a hassle, but it would be worth it for the DoD, It also leaves an easier trail and can better alert to unusual access patterns.
All that personal government employee info in "Share Point" - a different loose cannon would have made a point of sharing that information with "others" for cash.
The problem is: once the individual is duly elected the secrety bods don't have much choice in the big things. All they can try to do is try to hide the specific family jewels they really, really would like to keep, and repaint the Ferrari county orange and vanta black and glue on some fake panels, spoilers and light bars to make it harder to recognise.
I don't know how it works elsewhere, but in Australia elected representatives don't get security cleared. Their staff do, but not the politicians themselves.
This is apparently because it would be too easy to ban opposition figures from ever entering politics. A simple arrest and conviction for demonstrating against <current regime at the time> could be enough to fail a clearance.
I keep being disappointed, but no longer surprised, that people who presumably are fairly intelligent think that a significant chance of ruining your life is an ok risk to take for money that is by no means even near to "spend the rest of your days in the style you want to be accustomed to, with a well built bomb proof new identity".
Biting the hand that feeds IT © 1998–2022