Lessons for CSOs in Snowden exploit of NSA networks

Snowden used other employees' passwords, hacked firewalls to enter classified systems

How Edward Snowden roamed the National Security Agency network, stealing documents that would later be released to select media, raises a number of red flags chief security officers should pay attention to, experts say.

[Insider threats and how they can be mitigated]

While working as an NSA contractor, Snowden used the passwords of other employees and hacked firewalls to enter classified computer systems, The New York Times reported over the weekend. His network movements were not monitored, because the NSA was several months away from turning on tracking software that would trace the activity of employees at the Hawaii facility where Snowden worked.

Media reports on NSA spying based on documents taken by Snowden started in June, sparking an intense national debate on the NSA's collection of massive amounts of data on the Internet activity of Americans and foreigners. Lawmakers have introduced bills in Congress to rein in the NSA.

Law enforcement and intelligence investigators told The Times that they might never have a full tally of the classified information taken by Snowden. He is living and working in Russia, which has granted him asylum for one year.

While the investigation into Snowden continues, experts said Monday that what is known so far should be enough to get CSOs thinking about securing computer systems against malicious insiders.

Too many corporate networks are designed to block intruders from the outside, but don't do enough to catch people stealing data from the inside, either for financial gain or out of revenge for not getting a raise or a promotion.

"They're kind of like an egg," Stephen Perciballi, category leader for security solutions at Softchoice, said of a lot of networks. "It may be somewhat difficult for an outsider to get in, but once you're in there, you can move around quite fluidly."

To catch malicious behavior from the inside, Zak Dehlawi, senior security engineer at Security Innovation, suggested intrusion detection systems (IDS) that are statistical-based. Such systems take a baseline measurement of normal network and computer activity and alert security pros to any deviations, such as increases or decreases in network traffic or strange IP addresses.

However, these systems require constant tuning, since what's normal will vary according to the time of day or year, Dehlawi said.

"Even worse, is if a baseline measurement is taken while an attack is in progress," he said. "From that point on, the attack traffic will be considered normal traffic and will not trigger the IDS."

[Google, Microsoft, others join in calling on NSA limits]

A relatively new technology that may be useful once it matures is called "behavioral modeling," Kevin Coleman, strategic management adviser on critical technology issues at IT services company SilverRhino, said. Such technology knows how each employee normally uses computer systems and networks and reports all abnormal behavior.

While the technology holds promise, it's not quite ready for the enterprise, Coleman said. "It hasn't, in my opinion, been proven yet to the point where I would be willing to say it's a ready-for-primetime technology."

Snowden using other people's passwords to access classified networks did not surprise experts. Many corporate employees, including IT staff, share passwords with people in their own department.

Within an IT department, a system administrator will sometimes share his password with people who need access to servers, Paul Martini, chief executive of network security company iboss, said.

Putting stricter policies in place that prevent password sharing, particularly for accounts held by administrators, would improve security, Martini said. Another best practice would include compartmentalizing the network, and giving people access only to the areas that they need to be in to do their job.

[NSA spreading malware to further goals for more power]

"It seems obvious, but not every IT personnel, even at the higher level, should have access to certain passwords or (critical) systems," Martini said.

Technically speaking, experts did not believe Snowden had hacked any firewalls to enter certain parts of the NSA system, as reported by The Times.

Instead, Snowden might have found an open port going through a firewall or broke into a network that was trusted by another network, Ron Gula, chief executive officer of Tenable Network Security, said.

"It's very unlikely that he broke into a firewall and then perhaps configured the firewall to give him access," Gula said. "It was much more likely he just found a port to talk to a server on the other side of that firewall."

Read more about data protection in CSOonline's Data Protection section.

Other stories by Antone Gonsalves

Join the CSO newsletter!

Error: Please check your email address.

Tags Edward SnowdensecurityU.S. National Security AgencyIT management

More about GoogleMicrosoftNational Security AgencyNSATenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place