5 Steps To Stop A Snowden Scenario

5 Steps To Stop A Snowden Scenario

The NSA leaks by a systems administrator have forced enterprises to rethink their risks of an insider leak and their privileged users access

---

No organization wants to believe one of its own could go rogue. But after being blindsided by the Edward Snowden leaks, even the highly secretive National Security Agency has been forced to overhaul its procedures to lock down just what its most privileged users can access and do with sensitive information.
As the Snowden case demonstrated, its not easy to detect an insider threat. Some 54 percent of IT decision-makers say its harder to catch insider threats today than it was in 2011, and nearly half acknowledge that their organizations are vulnerable to a rogue insider attack, according to
a new report
(PDF) published today by Vormetric and co-authored by the Enterprise Strategy Group. Its a matter of more users accessing the network, including contractors, and the loss of control over data due to cloud computing, for example, according to the findings.
Privileged users a la Snowden are their biggest concern, with 63 percent saying their organizations are ripe for abuse by those users; some 45 percent of IT decision-makers say theyve changed their views on insider threats in the wake of reports on Snowdens leaks to the press.
Up until this [Snowden] case, it was all about providing support, getting customers supported, and getting data to the right people. It was not about analyzing [the admins] access, says Bob Bigman, former CISO of the CIA. To provide support, Snowden was given more access than he should have been given ... What exacerbated it was that not only did he have access to his systems there, but systems he had privileges on that were trusted to other systems within NSA. That enabled him to jump [among] various systems ... It was all done under the banner of customer support.
NSA officials
told National Public Radio
that as sys admin, Snowden had access to an NSA file-sharing location on the agencys intranet in order to move sensitive documents to secure places on the network. The NSA didnt catch him copying the files, however, and the agency now has implemented a two-person rule for access so a lone wolf cant leak sensitive information like Snowden did.
Its human nature to hope for the best. But hope is not a security plan, Bigman says.
Big-name companies are putting in place new insider threat prevention programs. Dell, for example, which was Snowdens employer prior to his gig at NSA contractor Booz Allen, coincidentally is beginning the rollout of its new insider threat prevention program, which has been in the works for the past two years. Dell calls the initiative its knowledge assurance program.
John McClurg, Dells CSO, says insider risk is a more appropriate term than insider threat.
Not all insiders pose a threat. Many of them carry a vulnerability with them ... that a threat vector might exploit, and some might become the threat vector, says McClurg, who notes that avoiding false positives that misidentify an insider as malicious when instead his or her credentials are stolen is important.
You do an analysis of what gave way to the false positive, says McClurg, who declined to comment on the Snowden case.
And like any advanced cyberattack, theres no way to stop a determined rogue insider from stealing or leaking information -- its all about minimizing the damage. You put in layers that slow them down. Have an active detection capability in place, says Larry Brock, former CISO at DuPont and president of Brock Cyber Consulting. You have time to stop them in their tracks before they do damage, says Brock, who previously worked for the NSA.
[A determined user or contractor hell-bent on leaking data cant be stopped, but businesses should revisit their user access policies and protections. See
NSA Leak Ushers In New Era Of The Insider Threat
.]
Rob Rachwald, senior director of market research at FireEye -- who will
present at Interop
some best practices being adopted by enterprises to prevent, detect, and catch early any insider misbehavior -- says the sys admin problem is really nothing new.
I remember at one of my first jobs, a sys admin was busted for reading everybodys email down there in the server room in the late 90s, Rachwald says. Its been going on forever. The big problem is, sys admins are always being defined by big companies like Microsoft and Oracle. Theyve put some security in [their software], but the fundamental problem is that they are not security companies.
Here are some tips culled from Rachwalds research, as well as other security experts on how to trip up or catch a possible rogue insider in the act:
1. Work closely with the business side to ID critical information to protect -- and loop in the senior execs.
Start small and think big, Rachwald says. Quite often, security people come in with a little boil-the-ocean approach, he says. Work with the various lines of business to pinpoint where the crown jewels reside and lock them down, he says.
We found that from an alignment standpoint, good security people have made the problem very personal, Rachwald says of research he conducted. So they worked with the lines of business to understand the impact of what could go wrong: If this got breached, what would it do to your competitive situation or brand? Theyre asking lots of those questions to make it personal.
Dells McClurg notes that the first phase of Dells program was identifying where its critical data sits, ensuring its categorized or labeled, for instance. The first phase of most everyone you talk to is, What is the status, the environment? And call out those opportunities you need to improve, [such as] how you grapple with historical data points, some of which could reside in access control systems, for example, he says.
Brock, meanwhile, says he has seen companies assign a senior, non-IT person as a bridge to work closely with the CEO and security team to review security projects and progress. Some organizations are reluctant to take this up to the senior leadership in the company. I believe thats crucial. The CEO and [his or her] team really needs to understand these threats, he says.
2. Team with your legal and human resources departments.
Make it as difficult as possible for an insider to go rogue by tying user policies in with the legal department and HR, Rachwald says.
One company in his study created processes that would trigger the legal department to step in. If the [employee] were off-boarded [from the companys systems], theyd give a list of things he had access to, apps. If any of this came up with the competition, it would be under scrutiny, Rachwald says.
Have HR inform employees on the consequences of a competitor getting stolen information, for instance. A lot of companies are working closely with HR not to just implement policies around insider threat, but also training on the reason behind it, he says.
3. Decentralize your security department model.
Some large enterprises have embedded security staffers within the various lines of business so they forge closer ties with them and better understand their data security needs, FireEyes Rachwald says.
They could understand the line of business and work very carefully with the owners on what the important data is, what the important processes are, who the data owners are, and put processes in place, he says. Theres a big benefit when [security] people understand that business extremely well.
The catch, of course, is such a model isnt realistic for resource-strapped smaller companies, which are stuck with a more centralized approach.
Next page: Schooling and revoking privileges

4. Education, education, education.
Training users on security and appropriate use and online behaviors means different things to different organizations. But like any training program, to be effective, its all about engaging the user on his or her turf.
One major manufacturer took a different spin on training its users. Its half [the] time on how to protect families and kids [online], and the other half on the workplace, Rachwald says. They made it very personal and interesting.
Part of that includes empowering users in the kill chain. Its called ownership, Bigman says. We had this in the government ... you have to make sure employees are part owners of the issue by having a role in ensuring all data will be secure. They have to understand their activity is being monitored.
If they do malicious things, there are sure to be administrative and legal actions, he says.
5. Revoke privileges from overprivileged users.
Know what your super users have access to, and lock them down so that they dont have complete control of the data. Does he need access to all of this information to do his job? Rachwald says.
Keep an eye out for aberrant behavior, he says. A red flag with Bradley Manning, for example, should have been when he downloaded massive amounts of data from SharePoint, Rachwald says. You need the ability to stop that behavior, he says.
A password vault is one way to better manage privileged users. The vault can be used to store admin passwords and employ a feature where if the admin needs access to something, he puts in a request to the vault, Brock says. The vault system sends the request on to an approver, who then approves that access for a certain period of time, say four hours, says Brock, who has used such a process. The vault automatically changes the password, and the admin is logged out. It can only grant access for that task.
Mike Tierney, vice president, business development and operations, at insider threat prevention vendor SpectorSoft, says sys admins especially need scrutiny because they have so much access to sensitive information. Companies are starting to establish a role outside of IT thats responsible for monitoring systems admins ... But theres always one last watcher who has to be trusted, he says.
SpectorSoft today rolled out an insider threat monitoring platform that provides an early warning system when policies are broken, data is stolen, or other fraud or illicit activity is detected. The Spector 360 Recon tool encrypts the continuously monitoring activity and stores it in a vault on users PC or Mac workstations.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security

▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security

▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

Cyber Security Categories

Google Dorks Database

Exploits Vulnerability

Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
5 Steps To Stop A Snowden Scenario