INVITATION TO CYBERSECURITY 230 enabled phone phreakers to abuse the system (see Section 3.2.5). By inputting certain frequencies such as 2600 Hz into a phone, hackers could gain command control over the phone system. The system failed to isolate data (human speech) from code (control frequencies). Interestingly, this same vulnerability is built into most generative AI systems. The same prompt used for asking questions (data) can also be used to input commands and source data (code). A prompt injection attack is an attack where malicious prompts are fed into large language models to manipulate their behavior. Compartmentalization also applies for access to information. In classified environments, information is segmented into compartments. A compartment is a category of sensitive information. Examples of compartments within the United States Department of Defense (DOD) classification system might include “nuclear weapons,” “terrorist threats,” and “Chinese intelligence.” The information within the compartments still carry classifications, but even people with Top Secret (TS) clearances may not be able to access information in certain compartments (this is similar to need-to-know). There is a special type of clearance called TS/SCI. SCI stands for sensitive compartmented information. This is an even higher bar than a TS clearance and gives people access to more categories of sensitive information. In the DOD multi-level security system compartmentalization is also enforced with facilities. People with clearances often work in a special environment called a SCIF. A SCIF is a sensitive compartmented information facility. SCIFs are specially designed to contain and isolate classified information. SCIFs have their own isolated computer network, their walls are designed to block radio signals, and computing devices are carefully vetted before being allowed in or out. Most cyber operations-related work takes place in SCIFs. Unvetted computers and technology, including personal smartphones and smartwatches, are not allowed in SCIFs because they could introduce data into the compartment or exfiltrate data out of it. SCIFs are designed to prevent unauthorized personnel, data, and resources from being mixed with authorized personnel, data, and resources. Compartmentalization is a key security principle. It limits exposure and prevents compromises of access control by creating barriers around resources. 9.1.9 Security as a Process “Security is a process, not a product.” - Bruce Schneier As we have seen throughout this book, cybersecurity is implemented in various ways across organizations through people, processes, technology, and facilities. It is naive to think of cybersecurity as a one-and-done checkbox, a set-it-and-forget-it solution, or a technology product that can be purchased. We have also seen that there is no such thing as 100% security, and that there is always room for improvement. Furthermore, organizations, technologies, and the threat landscape are ever evolving. The principle of security as a process states that cybersecurity must permeate all aspects of an organization and be continually monitored and improved.
RkJQdWJsaXNoZXIy MTM4ODY=