Slashdot Mirror
Ask Slashdot: Preventing Snowden-Style Security Breaches?
Nerval's Lobster writes "The topic of dealing with insider threats has entered the spotlight in a big way recently thanks to Edward Snowden. A former contractor who worked as an IT administrator for the National Security Agency via Booz Allen Hamilton, Snowden rocked the public with his controversial (and unauthorized) disclosure of top secret documents describing the NSA's telecommunications and Internet surveillance programs to The Guardian. Achieving a layer of solid protection from insiders is a complex issue; when it comes to protecting a business's data, organizations more often focus on threats from the outside. But when a trusted employee or contractor uses privileged access to take company data, the aftermath can be as catastrophic to the business or organization as an outside attack. An administrator can block removal of sensitive data via removable media (Snowden apparently lifted sensitive NSA data using a USB device) by disabling USB slots or controlling them via access or profile, or relying on DLP (which has its own issues). They can install software that monitors systems and does its best to detect unusual employee behavior, but many offerings in this category don't go quite far enough. They can track data as it moves through the network. But all of these security practices come with vulnerabilities. What do you think the best way is to lock down a system against malicious insiders?"
Simple. Do good, make people working for you feel they're doing something good for the world.
We won't help you cover your asses for the future. It's time to clean house.
How about try not to do anything you would be embarrassed by if it leaked? Not ignoring the 4th Amendment is a good start.
That always ensures quality.
My mom says I'm cool.
Don't piss off the sys admin.
Obeying your country's constitution and not operating for the sole benefit of oligarchs and barons of commerce would go a long way towards limiting whistleblowing activity.
If you want to go the opposite direction, I guess you could lock up your employees in a bunker and hold their families hostage.
Access to secret data and documents should be on a need-to-know basis, or a practical approximation of it. It's clear that he had access far beyond what he needed to know. If he can't get at the sensitive documents in the first place he can't copy them to USB or use his cellphone to take pictures of them or upload them to his Wikileaks partners.
---------
There is inferior bacteria on the interior of your posterior.
Nice try, NSA.
Have separation between levels of security and have fewer & fewer admins working on them as you go up the chain. Use the old established and trusted guys at the top. Don't have thousands of people (particularly contractors) crawling all over the most sensitive data. Seems obvious really. Look at the amount of data *Private* Bradley Manning got his hands on. It's like NSA & Govt just leave the barn doors open and hope the fear of prosecution will prevent the bad thing from happening.
Explosive collars.
How about not doing illegal things in the first place?
A lot of motivation for insiders to disclose the "sensitive" information would go away.
That always ensures quality.
With our recent innovation of no-bid contracts (well, there's one bid - from the crony that's been hand-selected by the corrupt government department), you get all the benefits of outsourced work along with the quality of a supplier with a monopoly for your project(s).
Make sure everyone's vote counts: Verified Voting
Man can make it, man can break it, it's that simple.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This is an age old problem. It partially requires people skills, and it requires technology. A couple ideas:
1: First thing is compartmentalize. One person shouldn't have access to all the goodies.
2: USB devices are easy to control. I can push a GPO on Windows that blocks writing to any USB flash drive, or just locks out access completely so someone can't hook up their iPod Touch, run iTunes and copy files that way. Third party programs can offer this functionality as well. Of course, there are always BIOS locks. If one doesn't care about reselling machines, snipping wires and epoxy blobs in the USB ports will finish the job.
There are other devices and ports too. Firewire, Thunderbolt, and even PCIe cards can be hazardous. Don't forget the humble old CD-ROM burner in most machines.
3: Watch data and its access. If a Windows admin suddenly is slurping down everything in the accounting directory, and it isn't a backup utility doing this, then someone should be notified.
4: I normally dislike DRM, but I have used an IRM/RMS server in house for protecting files. That way, if someone slurps off a Word document, it works fine if running on my machine, but unless they saved it to another format, it will be encrypted on their end. I've used Microsoft's RMS for about ten years now for personal items, and it does a decent job as a secondary layer, especially when coupled with some other encryption.
5: Get a solution that can make heads/tails over audit logs. Splunk is nice (though expensive.)
6: Add documents that are normally not accessed, but if they are, they immediately trigger an alert from the solution mentioned in #5. That way, if someone is doing a mass copy of files, someone knows. Most likely it is part of the job, but it is wise to have a couple tripwires.
7: Spend your time and do background checks that work. Checking for felonies, yes. Demanding usernames/passwords to Facebook for ongoing monitoring 24/7, no.
8: Finally, morale. A company that always threatens its developers with offshoring, and has low morale will have far more security issues than one that at least knows how to treat people with some modicum of respect.
Thus, you'll have nothing to hide.
Otherwise, it's a moot point; to paraphrase Mr. Universe, you can't stop the signal, bitch.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
1. Access to information in a need-to-know basis only using strong enforcement via MAC. Nobody has ALL the information on a specific subject.
2. All applications are used via virtual desktops accessed from secured, fully managed devices. No access is allowed from unmanaged endpoints of any kind.
3. If some information is as sensitive as described, then physical security enforcement need to be in place (isolated terminal room for example).
4. No printing, no emailing, no networking outside the proper security perimeter.
5. Regular audits and interviews to personnel with access to specific pieces of data.
You'll have to sacrifice convenience for security in environments that require that.
While all the "don't be evil" responses are cathartic and fun, the real issue here is that you can't simultaneously give someone access to data and prevent them from having access to the data. You can make it more difficult to access the data but the price is that it is more difficult to access the data. You can't read minds so intent is not something you can reliably build into the system.
When information is power, privacy is freedom.
Don't have morally repugnant and illegal secrets.
Not really an answer to the question, but good security design should focus on identifying all of the relevant threats (aka a "threat model") and mitigating all of them to the degree that makes sense -- and any good threat model will inevitably identify insider threats as the highest risks most at need of mitigation, because, by definition, insiders have greater opportunities to conduct attacks, and they have roughly the same motives as external attackers.
If you find that your organization doesn't spend 95+% of its security time, money and effort on foiling insider attacks, it's almost certainly not doing a good job. If it is adequately hardened against insiders it'll be darned near impossible for outsiders.
My impression of the NSA has always been one of an extremely high degree of competence, so the Snowden leaks surprised me. You can't stop insiders from gaining access to the data they need to do their jobs, of course (though you can often segment job responsibilities to minimize it), but you can and should make it a lot harder for them to get access to other sensitive data, and Snowden was apparently able to get a lot of stuff that wasn't relevant to his responsibilities.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Stop doing things that seem illegal or immoral to your employees. Stop lying. Stop cheating. Stop cowering behind secret courts.
As people say about the data collected by the NSA: if you haven't done anything wrong then you have nothing to hide. The NSA was hiding this program because they knew it was wrong.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
No matter how deep a background check goes, no matter how thorough the inquiry is into a person's character, no matter how many interviews are made of friends and family, and no matter how many polygraph tests are performed, if a person is given a position that requires some trust there is always going to be a chance that this person is going to abuse the trust. Psychopaths and sociopaths the the scariest of these people because they have no problem with lying, are good at it because they are usually good at being manipulative, are often very well liked by family and friends, and can lie without end like a baby-kissing politician running for re-election and still pass a polygraph test.
Perhaps the problem is in the kind of people being sought for these jobs that require great trust. While a person needs to be squeaky clean to get security clearance, perhaps the squeaky clean requirement is causing the government to choose some from the wrong pool of candidates. My experience has been that you will have a better chance of finding an honest man (or woman) by looking at those who have messed up in his or her life, is genuinely repentent, and has demonstrated through years of clean and honest living that he or she is worthy of such great trust. The gratitude that comes from being given this second chance is an incredible motivator in steering a straight and narrow course through life.
It's really quite a simple choice: Life, Death, or Los Angeles.
Its as simple as halting creepy anti-social, anti-democratic, and anti-freedom police state activities, lying about them, and justifying it with how much you hate/think lowly of the general population, and how you'll easily get away with it.
Then mabey the people who work for you won't question your blatant lack of morals.
I agree with this point. It's not impossible to stop leaks, but organizations can change to mitigate the impact one individual can have.
The thing that is most interesting to me about the Snowden case, as well as the Manning case, is the level of access intelligence communities give to these people. I mean, Manning was able to dump years of diplomatic cables, and Snowden has been able to detail a worldwide architecture of network ops.
Did they really need to have this much access to information? If their roles were more compartmentalized, these situations would be different.
I feel the problem with these leaks is a management issue moreso than the acts of individuals. Taking young, principled, intelligent guys and giving them the keys to a trove of information about questionable activities is just not the way to run an organization. The people he reported to should be the ones being indicted over this.
A solution (without knowing the particulars) would be to spread out access across a range of individuals with specific skill sets in their area and that's it. If you want to train people to be hackers, focus their development on one level of infrastructure and make it impossible for one guy to do this all on his own.
The question is what you can do to prevent it, not whether or not Snowden is a hero.
It's an interesting problem on it's own. Imagine the situation in reverse - someone working in IT for an aid organization, beset by government hackers looking for information about political opponents who would kill them. How do you prevent someone from leaking information of a completely non-criminal nature to forces who mean to do them harm?
One of the problems with disclosures, and why they are so divisive, is that they expose people's relative values. For everyone who thinks Snowden is a hero, there is someone who things he broke an oath and the government is being completely reasonable.
It's not worthwhile to judge situations the same way you judge individuals. I work with a lot of NGO where people would get killed if information about their operations is exposed, and one of the big threats is someone handing over documents under duress.
Basically, the GDR (former Eastern Germany) had similar problems with their border guards: guards would usually patrol the border in pairs (two guards at any given time). And this is obviously a necessary thing in border patrol.
But since the government couldn't trust their guards and since there indeed was a possibility that the guards would just jump across the border to Western Germany, they had a brilliant plan: (1) they made sure that each of the guards came from a completely different area of the country, and (2) that they didn't spend too much time with together in order to build trust between them. So, for the case (2), the government decided to create new pairs every week or so... it worked quite successfully.
Now, the question, obviously, is whether you *want* to be something like the former Eastern German Government.
I believe there are a lot of ways of protecting data against malicious employees - one being the way the Eastern German Government did (this might be a good solution actually for the NSA). Other ways are making sure that the employees in question can never copy any data by any means, whether it is by blocking USB-ports, not having any drives, not allowing *any* personal devices at all, including no cameras, smartphones, etc. You might even force the people to use a company-provided mobile phone even for their private calls (without snooping into their calls) without cameras, data connection, etc (just calls+sms).
Lastly, you could consider using a TrustedOS with levels such as B1-B3 or even A1 or Beyond-A1. http://en.wikipedia.org/wiki/TCSEC
I knew TISX http://en.wikipedia.org/wiki/Trusted_Information_Systems, which had (afaik) the only B2-TOS at that time. It was quite ingenious how it worked...
I think what bugs me the most about these most recent leaks is that the ONLY people surprised by it are the members of the public. The various governments know that they're being watched...mainly because they're doing watching on their own (that they're not supposed to do), that they talk about (which is monitored by other nations), rinse, repeat. Of course, it behooves all of the various countries involved to deny it...they don't want to look like douchbags, after all. But then again, how many of them look "squeaky clean" after the last round of releases that established that they were spying too. Everyone knows they do it, everyone has known that they've been doing it...so why in the fuck is anyone pretending to be surprised?
On topic, I have two answers for you depending on how your question was intended.
A1: You don't. You will never stop "leaks" of any sort, because you will inevitably be fooled into trusting the wrong person at some point. Leaks will always happen, even if there's been no wrongdoing (leaks can take the form of corporate secrets, for example).
A2: If you mean how do we stop leaks like this, as in, leaks about Governments infringing on public rights and acting like utter jagoffs the solution is far far simpler: Stop being jagoffs, stop breaking the law. Hell, that's the answer that WE get, isn't it? "You don't have anything to worry about if you're not breaking the law"...well, if they don't want people to blab about the Gubmint breaking the law, the Gubmint should stop breaking the law and they won't have anything to worry about. Right?
"According to the report, which scrutinized the approval of security clearances, more than 483,000 government contractors had "top secret" clearance as of last October. On top of that, another 582,000 have "confidential" or "secret" clearance."
That is... WELL OVER ONE MILLION PEOPLE with access to sensitive information. More or less 1 in every 300 citizens of 'murica.
If you don't see a potential data breach here, I really don't know what you're looking for.
Snowden made the information public, but who knows how many others sent information to foreign agencies? With one million people with access I bet data breaches happen quite more often than this one case.
Privacy is terrorism.
If you don't want to be publicly embarrassed and humiliated and lose any credibility you have by being exposed as someone who lies, cheats, steals, and violates your Citizens' rights, then don't lie, cheat, steal, and violate your Citizens' rights.
Two months ago Snowden was living in Hawai'i with an attractive girlfriend and a decent salary. How is that more dysfunctional than living in a Russian airport on the run from the US government?
We hope your rules and wisdom choke you / Now we are one in everlasting peace
No explanation, really. The threat of having your life taken away from you is enough to keep most toeing the line.
There still are a few, very few for whom integrity and doing the right thing is more valuable than their own life. What do you think the English King would have done to Paul Revere if the king's minions had caught him? What about some of the other early Americans that participated in the revolution? There are still a few people on this earth who will subscribe to the notion of "Give me liberty or give me death". To me it looks like Edward Snowden is one of these people.
A sufficiently advanced simulation is indistinguishable from reality.
Here are a few ideas:
1. Video cameras with 100% coverage of any room with computers with sensitive data. Live monitoring of said cameras.
2. Securely locked computer cases. Since I haven't seen any computer cases that allow for truly secure padlocks this may require making your own computer cases out of say 1/4" steel and with thick case hardened hasps designed with large padlocks in mind.
Or alternatively you could design a case by permanently welding the case closed. If something goes wrong inside you simply melt the whole thing down. A custom designed case will also allow you to bury any of the absolutely necessary external connections like for a keyboard and mouse inside the locked or welded case. Any data would need to be backed up through the internet or other network connection, which again is buried inside the secure case.
3. Checkpoints with metal detectors set to their highest sensitivity for all personnel entering or leaving, but this will only work if it is sensitive enough to detect a single microSD card. Strip searches and cavity searches for all departing personnel with access to sensitive data.
4. You could lock your employees into a secure facility and never allow them to leave. If they try to quit you kill them and melt their body in a large dedicated acid bath.
Of course this would have to be combined with severing all contact with the outside world. Internet connections or any kind of telephone would be forbidden. Also make certain that no computer has wifi capability and/or make the rooms with the computers with sensitive data into Faraday cages to prevent any wireless data transfer.
5. A water lock. In order to exit your facility your employees must swim through a tube filled with water. The problem with this is that a microSD card could be protected by wrapping it in plastic or something. You could also use salt water and run a nonlethal current through it.
6. Do not allow employees anywhere to put a data storage device. Do not allow any clothes or bags of any kind inside. They would store all of their belongings including their clothes in a locker before they entered the facility proper. Combined with cavity searches this could be quite effective even without any of the other measures. To help with employee retention make sure that the searchers are very, very attractive and that sexual preferences are observed at all times.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
Married employees with kids and a mortgage don't have as much leeway to indulge their conscience.
Sad, but true.
I've given this a lot of thought, and compiled a solid rant on the subject.
My thesis about privacy in 2013 - 2020:
Lets start with some facts:
1. The Spy agencies in NZ, UK, USA, Australia and Canada spy on everyone, even their own citizens. 2. The UK copies literally everything that traverses the Internet and keeps it for 3 days for analysis (EVERYTHING!) 3. The USA shares this information (including commercial secrets) with its private enterprises to help them win international business. 4. So many people work for these agencies that from time to time this information is made public. 5. Nobody really cares. 6. The chances of any of these organisations giving up such a valuable source of power are about the same as global nuclear disarmament 7. It’s only a matter of time until the local police have access to all this information. 8 . In 2001, as sysadmin of BSSC I could read the email of every teacher and every student at that school, without leaving a trace of evidence, nor with any fear of punishment for wrongdoing.
So, I assert: You have no privacy online. You never really did. It was only by unspoken rule of sysadmins that we let you have the illusion of privacy. Ed Snowden betrayed sysadmins.
Strangely, Google poise to release the most important advancement toward our goal of total access to information - a video camera strapped to every second person’s head (Google Glass), and people are up in arms (9) and so are the governments best poised to take advantage! (10).
I think we’ve got it all wrong. Let’s stop bitching about this rampant surveillance and embrace it.
Let’s get our spy agencies to make everything they’ve got available to everyone! Let’s mandate that every Google glass camera must be on all the time, every phone must have its microphone on all the time, every GPS recording its location and all this content uploading to the cloud!
Information WANTS to be free! EVERYONE should have access to EVERYTHING!
Then it will hardly be accessed, because if Facebook status updates have proven anything it’s that it’s no fun spying on all your friends if all they do all day is play Farmville.
Finally, these civil libertarians realise that nobody really cares about them, or their “right to privacy”, and we will be able to make the most out of google glass (11).
Sources:
1. http://www.spiegel.de/international/world/interview-with-whistleblower-edward-snowden-on-global-spying-a-910006.html
2. http://mashable.com/2013/06/21/gchq-spy-agency-taps-global-internet/
3. http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html
4. Bradley Manning, Edward Snowden
5. http://www.news.com.au/
6. http://io9.com/5969204/could-nuclear-disarmament-actually-increase-our-chance-of-an-apocalypse
7. “if the information is there, it’s already collected, why not use it to prosecute the crime? Why are you protecting the guilty? If you’re innocent you will want us to use this information to exonerate you.”
8. I read your email. Get over it.
9. http://www.policymic.com/articles/29585/3-new-ways-google-glass-invades-your-privacy
10. http://news.cnet.com/8301-1023_3-57591975-93/google-glass-privacy-concerns-persist-in-congress/
11.
Ripley: I say we take off and nuke the entire site from orbit. It's the only way to be sure.
http://nukeitfromorbit.com/
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
As someone else already said: You can not give someone access to data while not giving them access to data.
What you can make a hell of a lot more difficult is the ability to get the data out in any other way than inside someone's head.
At the extreme range, allow people to enter and exit the building only naked, changing into work-clothes on the inside that never leave the building. Don't forget cavity searches.
Oh, wait - you were planning to run an office, not a prison? That's gonna make things a little more tricky as human beings tend to be picky about archaic things like dignity.
The non-bullshit answer is basically this: The freaking NSA fucked this one up. If you really think a random collection of hints on /. is going to give you a better shot, you need to be fired.
Update your security policy regularily and monitor compliance. Do a good job. Stop worrying about the Snowdens of this world, because there's like one every decade. But users looking for shortcuts, managers wanting a dial-in connection from home, admins leaving the firewall wide open after a change, developers using test-configurations in live, all these things are happening every day. Worry about them.
Assorted stuff I do sometimes: Lemuria.org
The U.S. military addressed all the problems except covert channels (now called DLP) in the Orange Book, back in 1985, the days of the dinosaurs and mainframes.
Alas, it was relatively hard to admin, requiring two people to do almost anything, and proving the completeness and sufficiency of the policies was exceedingly hard using the techniques of the day. The good thing was it was easy to use such a system. I used Multics, which was running at B2 and didn't even know security was tight. I later took the week course on how to admin Trusted Solaris and admined a couple of B1 machines. My brain tended to bleed out my ears, I kept running out of audit disk until I turned audit down to a week and I badly broke the two-person rule.
I suspect the difficulty and cost of running secure systems, and the cost of having two-person signoffs in computing as well as accounting killed the governments' desire to be reasonably secure against insiders.
The mechanisms to implement MAC and much of the rest still exist in the NSA security-enhanced Linux, but the work of creating categories and levels to keep users out of each other's pockets, and managing them and the sysadmins so they can't conspire to sneak data out is too expensive for any organization to shoulder as a cost, even the NSA.
--dave
davecb@spamcop.net