Network Lighthouse

While this is not my usual topic, there’s something very wrong with this story, it pays to remember how closely information security is tied to physical security:

Former Energy Worker Admits Trying To Sell Nuclear Secrets – Insider threats/Attacks – DarkReading.

The short of it is that a janitor managed to walk out of a US DoD site with a number of components developed as part of a nuclear research project.   After successfully getting them on site, he tried selling them to the French Government.  Fortunately it was the French, not some semi-hostile government, and so they reported him to the FBI who arrested him.

What can we learn from this story?  Firstly treat your cleaners as if they are privy to your most sensitive secrets, because in all likelihood they are. Things get left on desks, in photocopiers, ‘secure’ document disposal bins  all the time, and cleaners often have unsupervised access to all parts of your offices.

Secondly, a number of vital security controls were either missing or failed for him to take them.  Inventory control should have noticed that sensitive items were missing,and so sparked a full scale investigation.  Secondly it shows the weakness  of manual security searches, why was he taking equipment on and offsite anyway.