Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Preventing Snowden-Style Security Breaches?

Posted by samzenpus on from the protect-ya-neck dept.

Nerval's Lobster writes "The topic of dealing with insider threats has entered the spotlight in a big way recently thanks to Edward Snowden. A former contractor who worked as an IT administrator for the National Security Agency via Booz Allen Hamilton, Snowden rocked the public with his controversial (and unauthorized) disclosure of top secret documents describing the NSA's telecommunications and Internet surveillance programs to The Guardian. Achieving a layer of solid protection from insiders is a complex issue; when it comes to protecting a business's data, organizations more often focus on threats from the outside. But when a trusted employee or contractor uses privileged access to take company data, the aftermath can be as catastrophic to the business or organization as an outside attack. An administrator can block removal of sensitive data via removable media (Snowden apparently lifted sensitive NSA data using a USB device) by disabling USB slots or controlling them via access or profile, or relying on DLP (which has its own issues). They can install software that monitors systems and does its best to detect unusual employee behavior, but many offerings in this category don't go quite far enough. They can track data as it moves through the network. But all of these security practices come with vulnerabilities. What do you think the best way is to lock down a system against malicious insiders?"

32 of 381 comments (clear)

  1. simple by greenfruitsalad · · Score: 5, Insightful

    Simple. Do good, make people working for you feel they're doing something good for the world.

    1. Re:simple by MightyMartian · · Score: 4, Insightful

      Yes, well, perhaps in La-la Land. Here, in reality, no matter how good your organization may be (for whatever definition of "good" you choose to use), you may still end up with bad employees. The question of securing your data shouldn't be about good or evil, or any particular moral judgment, but simply about how to make sure you're critical and confidential data doesn't end up being ripped off.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:simple by Jeremiah+Cornelius · · Score: 4, Insightful

      Hark! Do I hear the approach of the Freedom Drone?

      Stop launching Hellfires on babies, and stop treating the Citizens of your Republic like suspects in your dragnet.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:simple by fuzzyfuzzyfungus · · Score: 4, Insightful

      Exactly. If an employer is doing nothing wrong, then at least long-term, it has nothing to hide. :-D

      There are still merely-self-interested insiders: It's practically a tradition for Mr. Sleazy McSales to abscond with all the customer data when he accepts a position with the competition, and his engineering counterparts to lift design docs and the like for the same purpose.

      Doing good does have the advantage of reducing disillusionment among your otherwise-least-corruptable people, and helps prevent economically-irrational leaking; but you still have to worry about the merely mercenary.

    4. Re:simple by kthreadd · · Score: 3, Insightful

      Let's say that the PRISM program managed to stop X number of terrorist attacks. As an NSA employee you might very well consider your work to be of good. Otherwise you would probably not work there. And this is probably true for many types of jobs. Good is a relative term, it depends on the viewer.

    5. Re:simple by rtfa-troll · · Score: 5, Insightful

      The question of securing your data shouldn't be about good or evil, or any particular moral judgment, but simply about how to make sure you're critical and confidential data doesn't end up being ripped off.

      There's a certain level that you can go that way. However, in the end, to be useful data has to be loaded into people's heads. People can then unload part of it elsewhere. A very important part of securing the data is making sure that those people who could do that choose not to because they see the value of your mission. Those people who surround them also see the value and put social pressure not to reveal secrets. When the US loses it's moral authority by doing things identical to acts it has previously criticised this is obviously going to increase the risk of a leak.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    6. Re:simple by gweihir · · Score: 4, Insightful

      Indeed. Loyalty is the only thing that works. DLP is basically a scam to make tons of money, but cannot prevent leakage. As long as people work with data, they can steal that data. Get used to it.

      You can to a bit of personality screening. For example if you are the NSA, you want to screen out anybody with a shred of personal ethics or honor. Then make sure you bribe these people in staying loyal too you and keep the bribes up. Sure, you only get psychos that way, but nothing else is going to work.

      If, on the other hand, your organization is actually contributing something positive, then make sure your employees have ethics and honor, believe in the cause and address grievances before they become a problem.

      Loyalty is the key, and how to get it depends on what your organization does. Nothing besides loyalty will help against anybody determined.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:simple by TheCarp · · Score: 2, Insightful

      > you may still end up with bad employees. The question of securing your data shouldn't be about
      > good or evil, or any particular moral judgment, but simply about how to make sure you're critical and
      > confidential data doesn't end up being ripped off.

      Don't let your employees access any data that you don't want them to release. Period.

      If you are really that worried, then you can't give them access. If someone has access to the data, and feels it should be released, they will release it, they will find a way, and nothing you do is going to be able to prevent it.

      Any measure you take can be defeated, short of not allowing access at all. Store the data on systems that are connected to nothing and require physical access in a secure and monitored location. Make them work under the eye of cameras. Stand over their shoulder while they work.

      Seriously, short of that, you are hosed. In the end, don't do things that people will want to release, and you solve the vast majority of the problem. The more controversial your secrets (that is, the more people who see you as evil) the more control you need to prevent it.

      So.... don't deserve a Snowden and the chances that you will have one are seriously reduced.

      --
      "I opened my eyes, and everything went dark again"
    8. Re:simple by Dahamma · · Score: 5, Insightful

      No, the general question TFA asks about security breaches really has nothing to do with right and wrong or morality, it was simply about protection of data from insiders in any organization. What if Snowden's motivation had instead been monetary (which is much more common in security breaches than whistleblowing)? Or industrial espionage instead of government?

      Protecting data from internal leaks is a complex issue, and pretending "if you are good it won't happen" is idiotic.

    9. Re:simple by CanHasDIY · · Score: 4, Insightful

      Let's say that the PRISM program managed to stop X number of terrorist attacks. As an NSA employee you might very well consider your work to be of good. Otherwise you would probably not work there. And this is probably true for many types of jobs. Good is a relative term, it depends on the viewer.

      You seem to be under the impression that most people have the job they have because they want to "do good."

      That is incorrect; the actual reason most people have a job at all is because it's damn-near-if-not impossible to survive today without some form of monetary income.

      I'm guessing the dicks at the NSA (yea, that's right, I called you all dicks. Prove me wrong.) do what they do because the paycheck is quite fat; on the other hand, I guess some people would sell their own mother to the slavers for a pack of smokes and a lighter...

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    10. Re:simple by peragrin · · Score: 4, Insightful

      The trick with that is what was the ratio of attacks stopped versus the number of people "looked" at?

      In the UK their is a current debate on random stop and search used by police. The noticeable point is that it is 9% effective in finding someone doing something wrong.

      So if the police stop and search 100 cars they find 9 people who are breaking the law.

      Prism is spying on tens of millions, to find a couple dozen.

      that is why it should be stopped. They should turn that kind of data mining loose not on the outside world but their own internal agencies. If the NSA data mines, searches emails, databases, etc they could get far better results.

      It would single handily merge the agencies that don't want to cooperate and produce far better results.

      --
      i thought once I was found, but it was only a dream.
    11. Re:simple by Anonymous Coward · · Score: 0, Insightful

      No, TFA asks about Snowden style security breaches - and his reason for doing it has to be included, otherwise the question wouldn't include his name.

    12. Re:simple by MightyMartian · · Score: 3, Insightful

      Can you tell me how reduced? What percentage of data theft by insiders is by whistle blowers, and what percentage is by employees out to screw employers or profit by selling sensitive information?

      My gut tells me the latter far outweighs the former, but clearly you must have some notion as you say that being a good organization will seriously reduce your risk.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    13. Re:simple by Anonymous Coward · · Score: 2, Insightful

      nope -- most people who work for the NSA would probably make more money as web developers or whatever the current make-money-fast job role is. Most of them honestly believe that they are doing something worth doing beyond just money.

      hard for you to believe, I guess. maybe you should thank them?

      my problem with this is that they may think they are doing good, but are they really?

    14. Re:simple by Grishnakh · · Score: 4, Insightful

      The people working for the Stasi thought they were doing the "right thing" too.

    15. Re:simple by Grishnakh · · Score: 4, Insightful

      The intent of the Stasi was to look for any kind of "traitors" or subversives, not just people trying to escape; the NSA's mission was the same: spy on the populace.

      If the USA was right next door to a country that was a much better place to live, and accepted any escapees with open arms, and enough people started emigrating there that it seriously affected the economy, then the US would certainly ban emigration. It doesn't have to because it has no reason to at this point; there aren't a lot of places that are significantly better, none of them are nearby, and those that are aren't highly friendly to immigrants unless they have valuable skills or a lot of money in the bank, plus for the moment the employment situation for those people with valuable skills is still pretty decent here. When the economy crashes even harder in the next few years, and if any countries start courting our tech workers (causing a "brain drain"), you can bet your ass that emigration out of the US will be forbidden.

  2. Nice try NSA by stewsters · · Score: 5, Insightful

    How about try not to do anything you would be embarrassed by if it leaked? Not ignoring the 4th Amendment is a good start.

  3. Lesson Number One..... by segedunum · · Score: 5, Insightful

    Don't piss off the sys admin.

  4. Don't be dicks, you'll get less whistleblowers by Anonymous Coward · · Score: 5, Insightful

    Obeying your country's constitution and not operating for the sole benefit of oligarchs and barons of commerce would go a long way towards limiting whistleblowing activity.

    If you want to go the opposite direction, I guess you could lock up your employees in a bunker and hold their families hostage.

  5. Limit access by Xargle · · Score: 5, Insightful

    Have separation between levels of security and have fewer & fewer admins working on them as you go up the chain. Use the old established and trusted guys at the top. Don't have thousands of people (particularly contractors) crawling all over the most sensitive data. Seems obvious really. Look at the amount of data *Private* Bradley Manning got his hands on. It's like NSA & Govt just leave the barn doors open and hope the fear of prosecution will prevent the bad thing from happening.

  6. Stay legal? by mike449 · · Score: 4, Insightful

    How about not doing illegal things in the first place?
    A lot of motivation for insiders to disclose the "sensitive" information would go away.

  7. Does it matter if there's only one bid by rsborg · · Score: 3, Insightful

    That always ensures quality.

    With our recent innovation of no-bid contracts (well, there's one bid - from the crony that's been hand-selected by the corrupt government department), you get all the benefits of outsourced work along with the quality of a supplier with a monopoly for your project(s).

    --
    Make sure everyone's vote counts: Verified Voting
  8. Re:Nice try NSA by intermodal · · Score: 5, Insightful

    That was certainly an issue. If we're talking Snowden-style, the best deterrent is to actually conduct your operations within the law and within the boundaries of ethical behaviour. Snowden wouldn't have had anything to leak if the government were operating within the legitimate bounds of the constitution.

    --
    In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
  9. Same Problem as DRM by Jah-Wren+Ryel · · Score: 4, Insightful

    While all the "don't be evil" responses are cathartic and fun, the real issue here is that you can't simultaneously give someone access to data and prevent them from having access to the data. You can make it more difficult to access the data but the price is that it is more difficult to access the data. You can't read minds so intent is not something you can reliably build into the system.

    --
    When information is power, privacy is freedom.
  10. Its simple really. by Nadaka · · Score: 3, Insightful

    Don't have morally repugnant and illegal secrets.

  11. Re:Nice try NSA by Anonymous Coward · · Score: 2, Insightful

    You can't legalize unconstitutional activity with legislation. Either amend it to allow what you think is necessary, or scale back your concept of necessity. There are no alternatives.

  12. Re:Nice try NSA by Moof123 · · Score: 5, Insightful

    I'm going to fail Godwin's law off the bat here, but remember that Hitler was lawfully elected and his SS all worked within the law. The letter of the law can twisted and re-written to make torture "legal", but that does not mean that it is OK since it is legal. The fact that "enhanced interrogation", and now "enhanced observation" is legal and was known to congress should be MUCH scarier than if it came out that the NSA was breaking the law without congressional oversight.

  13. Re:We don't want to prevent them, duh. by techsoldaten · · Score: 4, Insightful

    The question is what you can do to prevent it, not whether or not Snowden is a hero.

    It's an interesting problem on it's own. Imagine the situation in reverse - someone working in IT for an aid organization, beset by government hackers looking for information about political opponents who would kill them. How do you prevent someone from leaking information of a completely non-criminal nature to forces who mean to do them harm?

    One of the problems with disclosures, and why they are so divisive, is that they expose people's relative values. For everyone who thinks Snowden is a hero, there is someone who things he broke an oath and the government is being completely reasonable.

    It's not worthwhile to judge situations the same way you judge individuals. I work with a lot of NGO where people would get killed if information about their operations is exposed, and one of the big threats is someone handing over documents under duress.

  14. What bugs me the most... by RoknrolZombie · · Score: 3, Insightful

    I think what bugs me the most about these most recent leaks is that the ONLY people surprised by it are the members of the public. The various governments know that they're being watched...mainly because they're doing watching on their own (that they're not supposed to do), that they talk about (which is monitored by other nations), rinse, repeat. Of course, it behooves all of the various countries involved to deny it...they don't want to look like douchbags, after all. But then again, how many of them look "squeaky clean" after the last round of releases that established that they were spying too. Everyone knows they do it, everyone has known that they've been doing it...so why in the fuck is anyone pretending to be surprised?

    On topic, I have two answers for you depending on how your question was intended.

    A1: You don't. You will never stop "leaks" of any sort, because you will inevitably be fooled into trusting the wrong person at some point. Leaks will always happen, even if there's been no wrongdoing (leaks can take the form of corporate secrets, for example).

    A2: If you mean how do we stop leaks like this, as in, leaks about Governments infringing on public rights and acting like utter jagoffs the solution is far far simpler: Stop being jagoffs, stop breaking the law. Hell, that's the answer that WE get, isn't it? "You don't have anything to worry about if you're not breaking the law"...well, if they don't want people to blab about the Gubmint breaking the law, the Gubmint should stop breaking the law and they won't have anything to worry about. Right?

  15. Re:Doesn't address the problem. by amRadioHed · · Score: 4, Insightful

    Two months ago Snowden was living in Hawai'i with an attractive girlfriend and a decent salary. How is that more dysfunctional than living in a Russian airport on the run from the US government?

    --
    We hope your rules and wisdom choke you / Now we are one in everlasting peace
  16. Re:Nice try NSA by Grog6 · · Score: 4, Insightful

    I lost mod points to post this, but this is the only use I've ever seen in 20+ years of internet, where Godwin did not apply.

    We are ruled by an organization akin to the Gestapo.

    There are Secret rules, secret Courts, and the Judges aren't allowed to comment, and have never ruled against the State.

    I still remember when America Didn't Torture People; everyone responsible should be hanged.

    --
    Truth isn't Truth - Guliani
  17. Why would you prevent such breaches? by hackus · · Score: 1, Insightful

    The type of breach Snowden performed was right and proper.

    Why would you want to prevent such a breach?

    ??

    Besides he didn't turn over weapon systems designs, like our government is doing on a daily basis to China.

    Now THAT is treason.

    -Hack

    --
    Got Geometrodynamics? Awe, too hard to figure out? Too bad.