Thursday, December 19, 2013

Security Credit

Bottom line up front the way the generals like it.  I take on vulnerability, all the additional threat is against me, and I assume all the risk.  Just to have my job.
Executive summary because the bosses who wear stars on their camouflage at the office like those, too.  There's a bit of utter stupidity to being a government employee.  In my job I am required to hold a government travel card and government passport.  That's right, I am required to increase my attack footprint [pdf] to have my job. 

Extra Credit

The points against the credit card are simple and straightforward enough for even a Treasury Department employee to understand.  Even though this card is For Official Use Only [pdf], the government has no financial risk in this credit card.  Externalities, they call it.  It's open credit on my report, not theirs.
It isn't common, but if the government doesn't settle travel expenses in a timely manner, it hurts my credit.  Just having it as an open account hurts my credit.  And not just the temptation for me to use or misuse the account as that linked article is concerned about.  It is yet another valid account for an attacker to break into and use for fraud.  The card itself, that stupid chit of plastic, is an identity document which can be counterfeit.  Speaking of misuse, done by me or anyone, it hurts my credit not my employer.  If some waiter skims the card I have to dispute the fraud or it's my credit rating that gets destroyed.  And yes, cards can and are misused in that very way even though they are clearly marked, "For Official Government Travel Only."
The entire program is adds vulnerability to me and I am required to assume all of the risk.  I've voiced this to management as an employee and a security professional but the program and the requirement for employment remain unchanged.

Papers, Please

Whether I travel outside the United States or not, frequently or not, I am required to hold an official government passport.  An identity document which can be misplaced or stolen between trips or while traveling.  And, just like with the credit cards, having a valid passport means an attacker can counterfeit a valid identity document for an attack.

Bottom's Up

Bottom line at the bottom the way the generals like it.  The entire pile of externalities, forcing the employee to assume all this additional risk as a condition of employment, should be redirected back to the organization.