INVITATION TO CYBERSECURITY 230 The same prompt used for asking questions (data) can also be used to input commands and source data (code). A prompt injection attack is an attack where malicious prompts are fed into large language models to manipulate their behavior. Compartmentalization also applies for access to information. In classified environments, information is segmented into compartments. A compartment is a category of sensitive information. Examples of compartments within the United States Department of Defense (DOD) classification system might include “nuclear weapons,” “terrorist threats,” and “Chinese intelligence.” The information within the compartments still carry classifications, but even people with Top Secret (TS) clearances may not be able to access information in certain compartments (this is similar to need-to-know). There is a special type of clearance called TS/SCI. SCI stands for sensitive compartmented information. This is an even higher bar than a TS clearance and gives people access to more categories of sensitive information. In the DOD multi-level security system compartmentalization is also enforced with facilities. People with clearances often work in a special environment called a SCIF. A SCIF is a sensitive compartmented information facility. SCIFs are specially designed to contain and isolate classified information. SCIFs have their own isolated computer network, their walls are designed to block radio signals, and computing devices are carefully vetted before being allowed in or out. Most cyber operations-related work takes place in SCIFs. Unvetted computers and technology, including personal smartphones and smartwatches, are not allowed in SCIFs because they could introduce data into the compartment or exfiltrate data out of it. SCIFs are designed to prevent unauthorized personnel, data, and resources from being mixed with authorized personnel, data, and resources. Compartmentalization is a key security principle. It limits exposure and prevents compromises of access control by creating barriers around resources. 9.1.9 Security as a Process “Security is a process, not a product.” - Bruce Schneier As we have seen throughout this book, cybersecurity is implemented in various ways across organizations through people, processes, technology, and facilities. It is naive to think of cybersecurity as a one-and-done checkbox, a set-it-and-forget-it solution, or a technology product that can be purchased. We have also seen that there is no such thing as 100% security, and that there is always room for improvement. Furthermore, organizations, technologies, and the threat landscape are ever evolving. The principle of security as a process states that cybersecurity must permeate all aspects of an organization and be continually monitored and improved. On the one hand this principle is difficult to bear, because it makes it clear that there is no rest for the weary cyber defenders. The job is never done and constant vigilance is required. On the other hand, it is reassuring because everybody has to start some-
RkJQdWJsaXNoZXIy MTM4ODY=