The impact of DOGE and a case for non-political case studies

2025-02-12 19:52:00

On the CompTIA Instructor's Network, Greg wondered whether DOGE (the newly minted NGO in the US) is actually a threat to national security. A lively discussion broke out, where Hank remarked:

"In this case, I am not sure how to discuss the technical issues without politics."

I suggested that we can discuss the issue, from the point of view of the aspects of infosec which we teach: Risk management. Threat modeling. Assumed breach. Access controls. Data destruction.

So here's a threat modeling exercise:

• Business process: monthly social security payments
• Protected assets: PII, financial data, database with past and current transactions, credentials for authorizing payments
• Business interest: continue primary business process, maintain CIA of assets per SLA or requirements.
• Related infrastructure: office terminal, office network, database server, bank payment API
• Related personnel: office workers, customer support, database admin, server admin, bank personnel

The case:

• Threat actor: unauthorized party from outside the organisation, acting with assumed yet unverified authority.
• Threat entry: forced access to office or data center.
• Threat interests: PII, financial data, disrupting primary business process.
• Threat activities: assume control of office terminals, assume control of office worker credentials, assume control of administrator credentials, remove hardware from data center for destruction or for data retrieval.

Question to the students:

Which security controls can we put in place to disrupt the threat actor's activities and to prevent or mitigate the threat actor's interests and activities?

kilala.nl tags: work, mentor,

View or add comments (curr. 0)