1. CD Lifecycle & Data Spill Solutions Omar J. Fakhri Ph: (727) 505-4701 [email_address]

3. The Webster Commission’s Report “… The FBI should study the feasibility of bar coding particularly sensitive classified material, such as asset files, to facilitate control and tracking .” (Page 78) FBI Strategic Objective: IVA.1 Protect the FBI from compromise of its employees. “Security and counterintelligence professionals generally agree that the most significant threat to an organization’s internal security is betrayal by a trusted insider.” (Page 84)

5. Technology Blending For Cradle-to-Grave Lifecycle Tracking of Recordable Media (CDs) Phase I Components: a. Authenticate & Issue b. Authenticate & Transfer c. Authenticate & Destroy Barcode Printer CAC Badges & Readers TS S C U SCI Pre Bar-coded (blank) CDs Barcode Readers NSA Certified CD Destroyers Optional Receipt Printing CD Vending Machines Kiosk #11

12. Phase II Storage

13. Phase II - Technology Blending For Secure CD Storage Same Components From Phase I SU#22 Gutted ( Stackable ) CD Drives + TS S C U SCI Bar-coded (blank) CDs

16. Phase III Spill-Resistant Network

17. Phase III Spill-Resistant Network All CD Readers and CD Writers Require Barcode Reader to Access Drive a. General User Desktop CD Readers Integrated With Barcode Reader b. Communal Desktops with Same-Level CD Burners c. Centralized High-Low CD Burner Process a., b., & c. should be deployed together

18. Phase III c. Centralized High-Low CD Burner Process (Only CD Drives that can operate without a Barcode Reader) Phase III b . Communal Desktops with Same-Level CD Burners Phase III a. General User Desktop CD Readers Integrated With Barcode Reader Spill-Resistant Network Topography Works on both thin-client and client-server environments CD Readers Only Same Classification CD Writers Only

19. Phase III a. General User Desktops CD Readers Integrated With Barcode Reader User scans barcode on CD to access CD drive. The first digit of the Serial Number (SN) determines if drive can be accessed. Example: Unclassified systems with CD Readers will NOT mount CDs with SNs beginning with # 2 or higher Confidential systems will NOT mount CDs with SNs beginning with 3 or higher Secret systems will NOT mount CDs with SNs beginning with # 4 or Higher. Etc… Prevents the reading of CDs that are classified higher than the system (data spill) Kiosk #11 CD Readers Only Introduction of “Foreign” CDs? Use Barcode Printer

20. Phase III b. Communal Desktops with Same-Level CD Burners User must scan barcode on CD to access CD Bruner . The first digit of the Serial Number (SN) determines if drive can be accessed. Example: Unclassified systems with CD burners will only mount CDs with SNs beginning with # 1 Confidential systems will only mount CDs with SNs beginning with # 2 Secret systems will only mount CDs with SNs beginning with # 3 . Etc… Prevents Users writing data to incorrectly marked blank CDs (data spill waiting to happen)

21. Phase III c. Centralized High-Low CD Burner Process Privileged User emails (low side) sanitized file to user User Uploads File to High-Side SharePoint System generates Ticket Privileged User from pool uses “Integrity” (aka Dirty word search & Secure Copy) to burn file(s) to unclassified (Green) CD Air Gap/Sneaker Net 1 Upload 2 Track 4 Secure Transfer 3 Verify 5 Deliver & Close Ticket (Step 2)

24. The Webster Commission’s Report “ For instance, an information system auditing program would surely have flagged Hanssen’s frequent use of FBI computer systems to determine whether he was the subject of a counterintelligence investigation.” (Page 4) “ Over twenty-two years and more than forty passes, Hanssen turned over to Soviet and Russian intelligence an estimated twenty-six diskettes and 6,000 pages of classified information.” (Page 16) “… over seven years ago, the CIA IG concluded that Aldrich Ames’ access to computer “terminals that had floppy disk capabilities represented a serious system vulnerability’.” (Page20) However, if you control the “vehicle” or medium of how information “walks out” of your facility you reduced the insider threat by denying the traitor the medium to do it with. Omar J Fakhri

25. The following 6 slides are a copy of the Narrative (Word doc) also located on this website

26. The Omar-Matic, The Omar-ized Network, Omar-ized CD writers/readers, the Barker Box BRIEF DESCRIPTION OF THE INVENTION: The Omar-Matic provides the full lifecycle (cradle-to-grave) tracking of CDs. It’s intended to be used in environments, such as the Intelligence Community (IC) where users, in certain circumstances must, for whatever reason, remove data from a system or network. When this happens the most common mode is to burn a CD. However, within the IC, and dealing with national security information such as SCI, Top Secret, Secret, Confidential or even Sensitive Unclassified data, such as PII, brings on major security challenges because… once any data leaves the confines of a “ System boundary ” and goes onto any removable media it becomes subject to loss or theft (Insider Threat). This is where the Omar-Matic comes in. The Omar-Matic blends existing Commercial Off The Shelf (COTS) technology in such a manner to facilitate the full lifecycle tracking of all CDs. The COTS technology used in this concept are as follows: Bar-coding of CDs Barcode readers and printers DVD kiosk vending machines such as “Red Box” Common Access Control (CAC) badging technology and equipment NSA approved CD Shredders. Receipt printers Actually, the Omar-Matic has three distinct concepts. The first one blends the use of all the aforementioned COTS technologies into a single package or “kiosk”. Ideally, there would be numerous such kiosks strategically/conveniently located within a major IC facility such as the Pentagon or the J. Edger Hoover Building. PHASE-I Here’s how it works, users would use their CAC Badge to get a blank pre-labeled CD from the Omar-Matic CD dispensing kiosk. This concept capitalizes on the fact that the CAC badge system already “knows” this person’s security clearance and level of access. Therefore, the kiosk would only issue blank CDs up to the security level that the person is cleared for. For instance, if a person only held a Secret clearance then the kiosk could ONLY issue that person any blank CD marked at Secret or below and it would disallow the issuance of TS or SCI CDs. Also, the CAC badging system would track how many blank CDs, the classification level, even the time/date, and the specific kiosk a particular CD came from. This running tally can be extremely useful when its time for the individual to leave the organization (out process), or if the Chief Security Officer (CSO) needed to conduct a random spot-check to ensure proper stewardship of sensitive CDs. This kiosk also facilitates and records the transfer of CD ownership between individuals. Since the system knows the classification of the CD, and the clearance of the recipient, it will not allow a custody transfer to a recipient with an inadequate clearance. Okay, so the Omar-Matic can issue blank CDs and it can record the custody transfer between owners. What about the imminent destruction of the CD?

28. PHASE-II The second concept (Phase-II) of the Omar-Matic is referred to in the original patent application as “The Barker Box”. The Barker Box uses most of the COTS technology mentioned above. Like the aforementioned kiosk, this device uses a barcode scanner, authentication appliances, and PIN but it’s also married to a “Stack” of gutted (minus the mechanism that allows it to read data) CD drives. Upon user authentication, the Barker Box will open (eject) the door to one of the empty and “gutted” CD drives within the stack. The user would use this vacant slot to “store” a CD – essentially a safe of sorts. Internally, the gutted CD drive would then verify that the CD with that identical barcoded serial number is, in fact, stored within. Again, only the non-business side of the CD is read. As with the aforementioned kiosk, the database would reflect the current status of that particular CD, which is… secured in the Barker Box. Moreover, this system would track when the CD was removed, by whom, for how long (threat), and how often (threat). The Barker Box takes CD accountability to the next level but there are many other benefits that will be included in my business plan should a developer or the Government decide to give it a green light. PHASE-III The third concept (Phase-III) of the Omar-Matic is referred to in the original patent application as the Omar-ized Network and Omar-ized CD Readers and Writers. I concede that my choice of naming conventions was a tad unfortunate. Consequently, I’m now calling this concept the “Spill-Resistant Network” and “Spill-Resistant Drives” which is more descriptive and way less cheesy. Anyway, the concept of this network is based on the principal that all the CD readers on the network will NOT mount any CD that’s not “appropriately” barcoded. This concept “forbids” any CD “known” to be classified at too high a level from ever being mounted in the first place. It’s important to understand that data spills are, as the name would imply, committed unintentionally - by humans. Moreover, spills cause damage and must be “cleaned up.” However, the really clever part of this concept is the use of the Bell-La Padula security model to setup the barcode Serial numbering scheme for all CDs used on the network. Essentially, on an Omar-ized network all unclassified CD serial numbers will start with the number one (#1). Confidential CDs will start with the number two (#2) and Secret CDs will start with the number three (#3) so on and so fourth. It is important to note that the specific serial coding scheme doesn’t really matter as long as it’s associated with a security classification level. For instance, you could even use letters (U, C, S, TS, SCI) in the serialization of the CDs. Omar-ized CD readers shall be setup to reflect the security classification of the network. If it’s a Secret network then all the readers are setup to disallow the mounting of any Top Secret or higher CD. Simply put, if the serial number begins with a four (Top Secret) or higher the CD can NOT be mounted on the drive (disallowed). This eliminates the inadvertent introduction of TS or higher data from contaminating (spillage) the Secret network. When you combine this with a strict “NO Thumb-drive policy” (like many IC agencies do anyway) you greatly reduce the chance of a data spill.

29. Similarly, the Omar-ized CD writers operate on the very same Bell-La Padula security model. Moreover, when combined with the aforementioned barcode serial numbering scheme, it actually prevents data from being written (burned) to incorrectly labeled CDs, which is a data spill waiting to happen. Of course, there are times when personnel in the IC must “migrate” data from a system of a higher classification down to a system of a lower classification. This is a process is fraught with risk and must only be done under tightly controlled processes by trained and competent personnel. Such a process usually involves what as known in the industry as an “air-gap” or “ sneakernet .” Like other subtle nuances associated with the Omar-Matic, my process to migrate system high data down to a system of a lower classification has also evolved. All these evolutions I recorded in my “inventor’s notebook”. On an Omar-ized network only “privileged users” would have the access to regular (non-Omar-ized) CD writers which would be the ONLY machine(s) that would allow High-low data transfer. However, I have since devised a process to facilitate this High-Low transfer and here’s how it works. Let’s assume the entire network is classified Secret and a user on that network has an unclassified Word file that they need to email to someone on the internet (unclassified). On the Omar-ized network there would be a webpage (SharePoint would work fine) where the user would upload the aforementioned file. Obviously, the user would then have to populate some typical data fields such as the urgency (priority) of the request. A “Ticket” is then automatically generated and someone from the pool of “privileged users” is notified. The privileged users should be trained and equipped (non-Omar-ized CD writers) to migrate the data from the Secret system down to an unclassified CD which is then “air-gapped” to an unclassified internet terminal. The privileged user would then email (on the internet) the word file to the general user who could then confidently forward it on to whomever they need to. 25 Assumptions: 1. The IC (or for that matter wider industry) uses removable media, for whatever reason, to transfer data from one system to another. 2. Removable media is used to fulfill a need to transfer data from one system to another. 3. Removable media isn’t going away anytime soon – or at least until “ cloud computing ” comes to fruition. Even then, would it be too risky for the IC? 4. Removable media is susceptible to being lost or stolen (risk) 5. A trusted insider ( Robert Hanssen ) would exploit unmonitored/uncontrolled removable media to get data off of a system and out of a secure facility. 6. When data is on a system it is “secure” up to the level of protection afforded (accredited) to that system but once the data is transferred to any removable media it is less secure. 7. Once a CD is “written to” (at least the ones we’ll be using) it is then “closed out” and can no longer be written to again (one-time shot) whereas thumb-drives written to repeatedly. 8. Removable media is temporary, and to that end, the assumption is that… it will (or should), eventually be destroyed - if not think Barker Box. 9. When someone obtains a blank CD, either from an Omar-Matic kiosk or their communal office supply cabinet, the intent is to (sooner or later) actually write data to it. Essentially, no one obtains a blank CD to use it as coaster for their coffee cup.

30. 10. If someone obtains a CD marked Secret they intend to write at least some Secret data to it. 11. IC system users know the importance of correctly marking/labeling any electronic media which contains National Security Information (EO 12958). 12. When using regular blank CDs (not the pre labeled blanks) system owners are relying on users to correctly label (SF 707 (1-87) etc.,) the media. Consequently, system owners must accept the risk that the media might be mislabeled or remain unlabeled due to human error. 13. If you discover any removable media marked classified (Secret, TS, etc.) one must “assume” that it has classified data on it and… you must take appropriate measures to “secure” that CD until its status can be confirmed. 14. A lost CD could actually cause more damage than a lost laptop. 15. If someone loses a laptop the assumption is that they’ll be “found out” however, if someone loses an unaccounted for CD they’d just burn another. CDs only cost about 32 cents each. 16. No on knows how many CDs are burned in the government and industry or if they are incorrectly disposed of. 17. If we build a working prototype and allow a Government customer to pilot such a contraption they’d love it! 18. Users would accept this concept since all the technology (barcode scanning, vending machines, ect.) is woven into our daily personal lives. Also, subconsciously, vending machines are associated with pleasure (ATMs, DVD rental, candy, soda, condoms) 19. The Omar-Matic will NOT completely prevent a highly motivated trusted insider from removing the media from the facility and copying it while in the parking lot and then quickly returning the CD to avoid detection. However, if you dovetail RF tagging between Phases II and III and… if you monitor the time between when it’s pulled from the Barker box to when it’s mounted onto an Omar-ized CD Reader (and vise versa) this “residual” risk can be mitigated too. 20. The Omar-Matic will NOT completely stop all data spills, lost media, thwart all trusted insiders or cure world hunger. However, it will improve CD stewardship and impose personal accountability of all CDs used on the network and make it harder for a trusted insider to steal. 21. The Omar-Matic places no additional administrative burden on end users only that they correctly store, transfer, and destroy all the CD’s they use - the logging of those three activities is recorded automatically. 22. Since the entire system is unclassified, full system management, i.e. trend analysis, chronological tripwires, inventory restocking, user out processing, etc., could in fact, be done remotely by a the vendor (which would be us) making the CSO completely unburdened by this new process (think entirely new service industry – a niche market perhaps?) 23. If the customer decides to go “whole-hog” on Phase-I we may want to engineer a transition period. This period could involve a “CD amnesty box” to capture orphaned, unlabeled, mislabeled, and unloved “mystery” CDs. This would also give the organization an opportunity to start from ground zero. Interestingly, close scrutiny of the amnesty CDs may further reveal the scope of a previously unrealized problem and further justify wider use of this product.

31. 24. The FBI will need more CD writers. On April 1, 2010 at an “FBI Employee Town Hall meeting” in front of a packed audience the FBI Director Robert S. Mueller, III stated, “ we will buy more CD writers ”. I know this because my Supervisor (Mike Simmons) and I were in that audience when the Director said it. 25. The Webster Commission actually meant what they said on page 78 of their report “…The FBI should study the feasibility of bar coding particularly sensitive classified material, such as asset files, to facilitate control and tracking .” Essentially, most cyber-security warriors are focused on DMZs, IDS’, firewalls and all that geeky stuff. I concede that stewardship of removable media isn’t sexy but should be viewed as fundamental to a robust and holistic cyber-security solution. Simply put, what good are all the router patches, port scans, and red teaming if Robert Hanssen can waltz out the front door with a wallet full of CDs? Stewardship & accountability matters and I believe that this will separate a potential developer/cyber-security company from the rest of the pack. This innovative approach to removable media stewardship can showcase our deeper appreciation of cyber-security challenges. Omar J. Fakhri (Inventor) 727-505-4701 [email_address]

32. Pulling it all together The NSA approved SEM Model 1200 CD-ROM Declassifer about $5K https://www.semshred.com/contentmgr/showdetails.php/id/54 Barcode reading equipment. Symbol MK1100 Self-Service Micro Kiosk Item No.: MK1100 List price: $1,305.00 http://www.scanonline.com/mk1100.html There’s tons of vending machine makers who make to order http://www.seagamfg.com/custom.html http://www.teleasy.com/quikflikweb1.asp Prototype Productions, Inc. http://www.protoprod.com/ HID is the access badge system currently in use by the FBI http://www.proximitycards.com/ http://www.geindustrial.com/ge-interlogix/products/access/HID.html The supplier of Govt. CD’s who’d have to put the barcode serial number on the CD’s http://www.at-ease-inc.com/atease.html

33. The Webster Report “ Much of Robert Hanssen’s espionage involved compromising FBI document security by photocopying or downloading classified material and carrying it out of Bureau facilities . Thefts by a trusted employee entitled to read most of what he stole are difficult to prevent, short of invasive searches.” (Page 73) “ It is impossible to determine the number of classified documents the FBI receives, generates, and handles each year because production and copying of Secret documents are not regulated .” (Page 74) “ The FBI imposes no physical controls on disseminating and copying most categories of classified material within FBI space” (Page 76) “ FBI manuals should establish a time limit for maintaining working copies of classified documents so that managers can better monitor retention of copies ... The FBI should study the feasibility of bar coding particularly sensitive classified material, such as asset files, to facilitate control and tracking .” (Page 78)

34. The Webster Report “ Much of Robert Hanssen’s espionage involved compromising FBI document security by photocopying or downloading classified material and carrying it out of Bureau facilities . Thefts by a trusted employee entitled to read most of what he stole are difficult to prevent, short of invasive searches.” (Page 73) “ It is impossible to determine the number of classified documents the FBI receives, generates, and handles each year because production and copying of Secret documents are not regulated .” (Page 74) “ The FBI imposes no physical controls on disseminating and copying most categories of classified material within FBI space” (Page 76) “ FBI manuals should establish a time limit for maintaining working copies of classified documents so that managers can better monitor retention of copies ... The FBI should study the feasibility of bar coding particularly sensitive classified material, such as asset files, to facilitate control and tracking .” (Page 78)