The document describes a three-phase system called the Omar-Matic that provides full lifecycle tracking of CDs. Phase I involves CD dispensing kiosks that issue blank CDs and record transfers based on user authentication. Phase II adds secure storage devices called Barker Boxes. Phase III establishes a network that prevents the mounting of CDs labeled above the network's classification using barcodes corresponding to classification levels. The system aims to improve accountability and prevent data spills while not overburdening users. A prototype of Phase I could prove the concept and gain customer acceptance.
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
Approach the govt
1. The Omar-Matic, The Omar-ized Network, Omar-ized CD
writers/readers, the Barker Box
BRIEF DESCRIPTION OF THE INVENTION:
The Omar-Matic provides the full lifecycle (cradle-to-grave) tracking of CDs. It’s intended to be
used in environments, such as the Intelligence Community (IC) where users, in certain
circumstances must, for whatever reason, remove data from a system or network. When this
happens the most common mode is to burn a CD. However, within the IC, and dealing with
national security information such as SCI, Top Secret, Secret, Confidential or even Sensitive
Unclassified data, such as PII, brings on major security challenges because… once any data
leaves the confines of a “System boundary” and goes onto any removable media it becomes
subject to loss or theft (Insider Threat).
This is where the Omar-Matic comes in. The Omar-Matic blends existing Commercial Off The
Shelf (COTS) technology in such a manner to facilitate the full lifecycle tracking of all CDs.
The COTS technology used in this concept are as follows:
Bar-coding of CDs
Barcode readers and printers
DVD kiosk vending machines such as “Red Box”
Common Access Control (CAC) badging technology and equipment
NSA approved CD Shredders.
Receipt printers
Actually, the Omar-Matic has three distinct concepts. The first one blends the use of all the
aforementioned COTS technologies into a single package or “kiosk”. Ideally, there would be
numerous such kiosks strategically/conveniently located within a major IC facility such as the
Pentagon or the J. Edger Hoover Building.
PHASE-I
Here’s how it works, users would use their CAC Badge to get a blank pre-labeled CD from the
Omar-Matic CD dispensing kiosk. This concept capitalizes on the fact that the CAC badge
system already “knows” this person’s security clearance and level of access. Therefore, the
kiosk would only issue blank CDs up to the security level that the person is cleared for. For
instance, if a person only held a Secret clearance then the kiosk could ONLY issue that person
any blank CD marked at Secret or below and it would disallow the issuance of TS or SCI CDs.
Also, the CAC badging system would track how many blank CDs, the classification level, even
the time/date, and the specific kiosk a particular CD came from. This running tally can be
extremely useful when its time for the individual to leave the organization (out process), or if the
Chief Security Officer (CSO) needed to conduct a random spot-check to ensure proper
stewardship of sensitive CDs.
This kiosk also facilitates and records the transfer of CD ownership between individuals. Since
the system knows the classification of the CD, and the clearance of the recipient, it will not allow
a custody transfer to a recipient with an inadequate clearance. Okay, so the Omar-Matic can
issue blank CDs and it can record the custody transfer between owners. What about the
imminent destruction of the CD?
Page 1 of 6
2. The Omar-Matic kiosk is actually conjoined with an NSA-approved CD shredder and, after
proper authentication; it will securely destroy the CD. However, it will not allow the destruction
of someone else’s CDs. Moreover, it will notify the CSO of any unauthorized possession, here’s
how. Let’s say Sgt Jones, who has a TS clearance, gives Private Smith, who only has a Secret
clearance, a TS CD and tells her to go to the kiosk to destroy it. When Private Smith gets to the
kiosk the first thing she must do is scan the barcode on the CD. At this point, the system will
recognize that the true owner is, in fact, Sgt Jones. The system will then ask for the Badge &
PIN of the person attempting to destroy the CD. If Private Smith authenticates herself the
system will not destroy the CD but, instead, send an alert to the CSO that a security breach has
occurred. Essentially, Private Smith has custody of data that exceeds her clearance.
The kiosk will also print barcode stickers to accommodate “foreign” CDs which originated from
outside the Omar-Matic system. Users would affix barcode stickers to foreign CDs so they can
be tracked. This is especially important if they contain sensitive data. Of course, not all foreign
CDs are sensitive and require tracking but all should be barcoded. That said, the 100%
barcoding policy is NOT “required” unless the customer intends to implement Phase-III.
Some of the benefits are:
The CDs are pre-marked as per Executive Order 12958 which, to a large degree, takes the
onus off the end user
Provides full cradle-to-grave accountability of all CDs
Visibility on usage, time in service (from issuance to destruction), high volume users
(threats)
It forces users to destroy CDs when they are no longer needed (reduce risk)
The Omar-Matic is totally unclassified since it can only read data (barcodes) from the
non-business side of the CD. User or “classified” data is never accessed.
Should someone discover an abandoned CD, for example one inadvertently left in a
bathroom, that person could take it to the closest kiosk to scan the barcode which would
immediately reveal the registered owner.
Enforces personal stewardship and accountability of all removable CDs.
Uses a Phased approach and builds upon the success of previous Phases.
Building a prototype of this kiosk should be inexpensive. The hardest part would be integrating
it with existing industry standard CAC authentication systems. Consequently, early prototypes
should probably use an independent token similar to the keychain-size consumer loyalty tokens
that retailers use at the checkout. Note: RF keychain-sized tokens could work but would
probably add unnecessary complexity, especially for initial prototypes. There are many other
options to explore in this area, such as fingerprint reader (biometric) technology.
What this first concept does NOT deal with is where CDs are actually stored, especially when
you are talking about SCI, TS, and Secret data. This is where the second concept comes in.
For now, I believe that this is as far as a potential developer needs to go (Phase-I) to develop a
product/prototype that would;
1. Achieve “Proof-of-concept” and
2. Win the acceptance of the IC (sellable).
However, as any successful retailer (aka Wal-Mart) will attest, once you have an “automated”
method of tracking property it opens the door for many other interesting possibilities.
Page 2 of 6
3. PHASE-II
The second concept (Phase-II) of the Omar-Matic is referred to in the original patent application
as “The Barker Box”. The Barker Box uses most of the COTS technology mentioned above.
Like the aforementioned kiosk, this device uses a barcode scanner, authentication appliances,
and PIN but it’s also married to a “Stack” of gutted (minus the mechanism that allows it to read
data) CD drives.
Upon user authentication, the Barker Box will open (eject) the door to one of the empty and
“gutted” CD drives within the stack. The user would use this vacant slot to “store” a CD –
essentially a safe of sorts. Internally, the gutted CD drive would then verify that the CD with
that identical barcoded serial number is, in fact, stored within. Again, only the non-business side
of the CD is read.
As with the aforementioned kiosk, the database would reflect the current status of that particular
CD, which is… secured in the Barker Box. Moreover, this system would track when the CD was
removed, by whom, for how long (threat), and how often (threat). The Barker Box takes CD
accountability to the next level but there are many other benefits that will be included in my
business plan should a developer or the Government decide to give it a green light.
PHASE-III
The third concept (Phase-III) of the Omar-Matic is referred to in the original patent application
as the Omar-ized Network and Omar-ized CD Readers and Writers. I concede that my choice of
naming conventions was a tad unfortunate. Consequently, I’m now calling this concept the
“Spill-Resistant Network” and “Spill-Resistant Drives” which is more descriptive and way less
cheesy. Anyway, the concept of this network is based on the principal that all the CD readers on
the network will NOT mount any CD that’s not “appropriately” barcoded. This concept
“forbids” any CD “known” to be classified at too high a level from ever being mounted in the
first place. It’s important to understand that data spills are, as the name would imply, committed
unintentionally - by humans. Moreover, spills cause damage and must be “cleaned up.”
However, the really clever part of this concept is the use of the Bell-La Padula security model to
setup the barcode Serial numbering scheme for all CDs used on the network. Essentially, on an
Omar-ized network all unclassified CD serial numbers will start with the number one (#1).
Confidential CDs will start with the number two (#2) and Secret CDs will start with the number
three (#3) so on and so fourth. It is important to note that the specific serial coding scheme
doesn’t really matter as long as it’s associated with a security classification level. For instance,
you could even use letters (U, C, S, TS, SCI) in the serialization of the CDs.
Omar-ized CD readers shall be setup to reflect the security classification of the network. If it’s a
Secret network then all the readers are setup to disallow the mounting of any Top Secret or
higher CD. Simply put, if the serial number begins with a four (Top Secret) or higher the CD
can NOT be mounted on the drive (disallowed).
This eliminates the inadvertent introduction of TS or higher data from contaminating (spillage)
the Secret network. When you combine this with a strict “NO Thumb-drive policy” (like many
IC agencies do anyway) you greatly reduce the chance of a data spill.
Page 3 of 6
4. Similarly, the Omar-ized CD writers operate on the very same Bell-La Padula security model.
Moreover, when combined with the aforementioned barcode serial numbering scheme, it actually
prevents data from being written (burned) to incorrectly labeled CDs, which is a data spill
waiting to happen.
Of course, there are times when personnel in the IC must “migrate” data from a system of a
higher classification down to a system of a lower classification. This is a process is fraught with
risk and must only be done under tightly controlled processes by trained and competent
personnel. Such a process usually involves what as known in the industry as an “air-gap” or
“sneakernet.” Like other subtle nuances associated with the Omar-Matic, my process to migrate
system high data down to a system of a lower classification has also evolved. All these
evolutions I recorded in my “inventor’s notebook”. On an Omar-ized network only “privileged
users” would have the access to regular (non-Omar-ized) CD writers which would be the ONLY
machine(s) that would allow High-low data transfer. However, I have since devised a process to
facilitate this High-Low transfer and here’s how it works.
Let’s assume the entire network is classified Secret and a user on that network has an
unclassified Word file that they need to email to someone on the internet (unclassified). On the
Omar-ized network there would be a webpage (SharePoint would work fine) where the user
would upload the aforementioned file. Obviously, the user would then have to populate some
typical data fields such as the urgency (priority) of the request. A “Ticket” is then automatically
generated and someone from the pool of “privileged users” is notified. The privileged users
should be trained and equipped (non-Omar-ized CD writers) to migrate the data from the Secret
system down to an unclassified CD which is then “air-gapped” to an unclassified internet
terminal. The privileged user would then email (on the internet) the word file to the general user
who could then confidently forward it on to whomever they need to.
Assumptions:
1. The IC (or for that matter wider industry) uses removable media, for whatever reason, to
transfer data from one system to another.
2. Removable media is used to fulfill a need to transfer data from one system to another.
3. Removable media isn’t going away anytime soon – or at least until “cloud computing” comes
to fruition. Even then, would it be too risky for the IC?
4. Removable media is susceptible to being lost or stolen (risk)
5. A trusted insider (Robert Hanssen) would exploit unmonitored/uncontrolled removable
media to get data off of a system and out of a secure facility.
6. When data is on a system it is “secure” up to the level of protection afforded (accredited) to
that system but once the data is transferred to any removable media it is less secure.
7. Once a CD is “written to” (at least the ones we’ll be using) it is then “closed out” and can no
longer be written to again (one-time shot) whereas thumb-drives written to repeatedly.
8. Removable media is temporary, and to that end, the assumption is that… it will (or should),
eventually be destroyed - if not think Barker Box.
9. When someone obtains a blank CD, either from an Omar-Matic kiosk or their communal
office supply cabinet, the intent is to (sooner or later) actually write data to it. Essentially, no
one obtains a blank CD to use it as coaster for their coffee cup.
Page 4 of 6
5. 10. If someone obtains a CD marked Secret they intend to write at least some Secret data to it.
11. IC system users know the importance of correctly marking/labeling any electronic media
which contains National Security Information (EO 12958).
12. When using regular blank CDs (not the pre labeled blanks) system owners are relying on
users to correctly label (SF 707 (1-87) etc.,) the media. Consequently, system owners must
accept the risk that the media might be mislabeled or remain unlabeled due to human error.
13. If you discover any removable media marked classified (Secret, TS, etc.) one must “assume”
that it has classified data on it and… you must take appropriate measures to “secure” that CD
until its status can be confirmed.
14. A lost CD could actually cause more damage than a lost laptop.
15. If someone loses a laptop the assumption is that they’ll be “found out” however, if someone
loses an unaccounted for CD they’d just burn another. CDs only cost about 32 cents each.
16. No on knows how many CDs are burned in the government and industry or if they are
incorrectly disposed of.
17. If we build a working prototype and allow a Government customer to pilot such a contraption
they’d love it!
18. Users would accept this concept since all the technology (barcode scanning, vending
machines, ect.) is woven into our daily personal lives. Also, subconsciously, vending
machines are associated with pleasure (ATMs, DVD rental, candy, soda, condoms)
19. The Omar-Matic will NOT completely prevent a highly motivated trusted insider from
removing the media from the facility and copying it while in the parking lot and then quickly
returning the CD to avoid detection. However, if you dovetail RF tagging between Phases II
and III and… if you monitor the time between when it’s pulled from the Barker box to when
it’s mounted onto an Omar-ized CD Reader (and vise versa) this “residual” risk can be
mitigated too.
20. The Omar-Matic will NOT completely stop all data spills, lost media, thwart all trusted
insiders or cure world hunger. However, it will improve CD stewardship and impose
personal accountability of all CDs used on the network and make it harder for a trusted
insider to steal.
21. The Omar-Matic places no additional administrative burden on end users only that they
correctly store, transfer, and destroy all the CD’s they use - the logging of those three
activities is recorded automatically.
22. Since the entire system is unclassified, full system management, i.e. trend analysis,
chronological tripwires, inventory restocking, user out processing, etc., could in fact, be done
remotely by a the vendor (which would be us) making the CSO completely unburdened by
this new process (think entirely new service industry – a niche market perhaps?)
23. If the customer decides to go “whole-hog” on Phase-I we may want to engineer a transition
period. This period could involve a “CD amnesty box” to capture orphaned, unlabeled,
mislabeled, and unloved “mystery” CDs. This would also give the organization an
opportunity to start from ground zero. Interestingly, close scrutiny of the amnesty CDs may
further reveal the scope of a previously unrealized problem and further justify wider use of
this product.
Page 5 of 6
6. 24. The FBI will need more CD writers. On April 1, 2010 at an “FBI Employee Town Hall
meeting” in front of a packed audience the FBI Director Robert S. Mueller, III stated, “we
will buy more CD writers”. I know this because my Supervisor (Mike Simmons) and I were
in that audience when the Director said it.
25. The Webster Commission actually meant what they said on page 78 of their report “…The
FBI should study the feasibility of bar coding particularly sensitive classified material, such
as asset files, to facilitate control and tracking.”
Essentially, most cyber-security warriors are focused on DMZs, IDS’, firewalls and all that
geeky stuff. I concede that stewardship of removable media isn’t sexy but should be viewed as
fundamental to a robust and holistic cyber-security solution. Simply put, what good are all the
router patches, port scans, and red teaming if Robert Hanssen can waltz out the front door with a
wallet full of CDs?
Stewardship & accountability matters and I believe that this will separate a potential
developer/cyber-security company from the rest of the pack. This innovative approach to
removable media stewardship can showcase our deeper appreciation of cyber-security
challenges.
Page 6 of 6