Former National Security Agency (NSA) subcontractor Edward Snowden said recently he is willing to stand trial in the US for revealing classified information about NSA surveillance activities. Ever since he released the first classified documents in June 2013, shock waves have continued to reverberate throughout the federal IT sector. In the wake of Snowden’s insider breach, many organizations suddenly awoke to the notion that insiders – both employees and contractors – did not always have the best intentions.
Trusted insiders, especially those with elevated privileges, are often given access to tremendous amounts of sensitive information, regardless of whether they actually need that information to perform their jobs. A 2014 Ponemon/Raytheon study on insider threats reported 73 percent of privileged users believed they were entitled to access all the information they had the ability to view, and that 65 percent of them accessed sensitive or confidential data out of curiosity.
Elevated access privileges also often include the ability to make changes to systems and network configurations. The Ponemon/Raytheon survey pointed out that 54 percent of the organizations who responded regularly assign privileges to individuals that go beyond their role or responsibility. These excess access rights present a clear and present danger.
Snowden made us question how this breakdown could have occurred within a government agency tasked with maintaining national security. When it comes to information security, the answer is never one dimensional. It is usually based on shortcomings within the triad of “people-process-technology.” As a result of the breach, many agencies have been forced to take a fresh look at their often dusty (and rusty?) information security policies to assess their effectiveness within the new threat environment. Are documented procedures and guidelines put in
place years ago still fresh and relevant today?
Complacency can easily creep into any organization, even the NSA, we’ve learned. So, a regular evaluation and refreshing of information security policies, procedures and guidelines
is essential to prevent insider breaches, especially where codified rules and access privileges are operationalized in critical systems and tools. Outdated information security rules and privileges often lead to inappropriate insider behavior, whether intentional or accidental.
The role of technology
According to the Ponemon/Raytheon study, 69 percent of the organizations surveyed said they do not get enough contextual information from the security tools in place to understand the threats they are facing. Also, 56 percent said their tools yield too many false positives. And, while 72 percent of organizations use authentication and identity management tools to manage both regular and privileged user access, this information is not typically integrated with security tools to combat insider threats.
Security tools are focused on the bad actor attempting to break in from the outside, when, actually, many of the largest threats and vulnerabilities companies face are tied to the misuse of privileged identities inside their organizations.
When 42 percent of organizations say they are not confident they have visibility into privileged user access, improvement is long overdue. To prevent another Snowden-type breach, government agencies should consider an identity-centric approach to security in order to deal effectively and quickly with insider threats. In addition, near real-time analytical capabilities are a must.
Behavioral risk profiling of user behavior, for example, can detect and prevent insider threats and anomalous activities. Gone are the days when information security staffs could sift through mountains of aggregated log data from several systems and tools to discover or uncover “what happened.” Combining the power of analytics and identity intelligence – who has access to what, when, was it used or accessed, and from where – can arm agencies with risk-based threat detection and prevention capabilities to see and deal with insider threat activities.
Eric Snowden did us all a favor. He made us realize we needed to reboot our security posture – and fast. He also forced bosses, families and friends to finally understand the importance of information security and the consequences of not doing it right. Meanwhile, his actions served as a brutal reminder that the role of the information security professional is never done.