Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Preventing Snowden-Style Security Breaches?

Posted by samzenpus on from the protect-ya-neck dept.

Nerval's Lobster writes "The topic of dealing with insider threats has entered the spotlight in a big way recently thanks to Edward Snowden. A former contractor who worked as an IT administrator for the National Security Agency via Booz Allen Hamilton, Snowden rocked the public with his controversial (and unauthorized) disclosure of top secret documents describing the NSA's telecommunications and Internet surveillance programs to The Guardian. Achieving a layer of solid protection from insiders is a complex issue; when it comes to protecting a business's data, organizations more often focus on threats from the outside. But when a trusted employee or contractor uses privileged access to take company data, the aftermath can be as catastrophic to the business or organization as an outside attack. An administrator can block removal of sensitive data via removable media (Snowden apparently lifted sensitive NSA data using a USB device) by disabling USB slots or controlling them via access or profile, or relying on DLP (which has its own issues). They can install software that monitors systems and does its best to detect unusual employee behavior, but many offerings in this category don't go quite far enough. They can track data as it moves through the network. But all of these security practices come with vulnerabilities. What do you think the best way is to lock down a system against malicious insiders?"

14 of 381 comments (clear)

  1. simple by greenfruitsalad · · Score: 5, Insightful

    Simple. Do good, make people working for you feel they're doing something good for the world.

    1. Re:simple by rtfa-troll · · Score: 5, Insightful

      The question of securing your data shouldn't be about good or evil, or any particular moral judgment, but simply about how to make sure you're critical and confidential data doesn't end up being ripped off.

      There's a certain level that you can go that way. However, in the end, to be useful data has to be loaded into people's heads. People can then unload part of it elsewhere. A very important part of securing the data is making sure that those people who could do that choose not to because they see the value of your mission. Those people who surround them also see the value and put social pressure not to reveal secrets. When the US loses it's moral authority by doing things identical to acts it has previously criticised this is obviously going to increase the risk of a leak.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    2. Re:simple by Dahamma · · Score: 5, Insightful

      No, the general question TFA asks about security breaches really has nothing to do with right and wrong or morality, it was simply about protection of data from insiders in any organization. What if Snowden's motivation had instead been monetary (which is much more common in security breaches than whistleblowing)? Or industrial espionage instead of government?

      Protecting data from internal leaks is a complex issue, and pretending "if you are good it won't happen" is idiotic.

    3. Re:simple by Beardo+the+Bearded · · Score: 5, Funny

      I'm guessing the dicks at the NSA (yea, that's right, I called you all dicks. Prove me wrong.)

      Come on man, I've gone through your email, we have a lot of the same hobbies, we could be friends.

      You could invite me, or I can just show up and we can go shooting. I already know the time and place. I'll pick up some subs at Blimpie's on the way over, that cool?

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  2. Nice try NSA by Anonymous Coward · · Score: 5, Funny

    We won't help you cover your asses for the future. It's time to clean house.

    1. Re:Nice try NSA by intermodal · · Score: 5, Insightful

      That was certainly an issue. If we're talking Snowden-style, the best deterrent is to actually conduct your operations within the law and within the boundaries of ethical behaviour. Snowden wouldn't have had anything to leak if the government were operating within the legitimate bounds of the constitution.

      --
      In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
    2. Re:Nice try NSA by Gr8Apes · · Score: 5, Interesting

      Congress can make laws that are illegal - that's why we have the Supreme Court. If Congress creates laws, but they're 'secret" and no one gets to see them, and they're acted upon by other "secret" people, who supposedly report back to a congressional oversight group - but they lie.... and the courts never see any of this... I think we have what's called a dictatorship in the making.

      --
      The cesspool just got a check and balance.
    3. Re:Nice try NSA by Moof123 · · Score: 5, Insightful

      I'm going to fail Godwin's law off the bat here, but remember that Hitler was lawfully elected and his SS all worked within the law. The letter of the law can twisted and re-written to make torture "legal", but that does not mean that it is OK since it is legal. The fact that "enhanced interrogation", and now "enhanced observation" is legal and was known to congress should be MUCH scarier than if it came out that the NSA was breaking the law without congressional oversight.

  3. Nice try NSA by stewsters · · Score: 5, Insightful

    How about try not to do anything you would be embarrassed by if it leaked? Not ignoring the 4th Amendment is a good start.

  4. Lesson Number One..... by segedunum · · Score: 5, Insightful

    Don't piss off the sys admin.

  5. Don't be dicks, you'll get less whistleblowers by Anonymous Coward · · Score: 5, Insightful

    Obeying your country's constitution and not operating for the sole benefit of oligarchs and barons of commerce would go a long way towards limiting whistleblowing activity.

    If you want to go the opposite direction, I guess you could lock up your employees in a bunker and hold their families hostage.

  6. Nice Try by Anonymous Coward · · Score: 5, Funny

    Nice try, NSA.

  7. Limit access by Xargle · · Score: 5, Insightful

    Have separation between levels of security and have fewer & fewer admins working on them as you go up the chain. Use the old established and trusted guys at the top. Don't have thousands of people (particularly contractors) crawling all over the most sensitive data. Seems obvious really. Look at the amount of data *Private* Bradley Manning got his hands on. It's like NSA & Govt just leave the barn doors open and hope the fear of prosecution will prevent the bad thing from happening.

  8. I support the NSA's collection and leaking! by xQx · · Score: 5, Interesting

    I've given this a lot of thought, and compiled a solid rant on the subject.

    My thesis about privacy in 2013 - 2020:

    Lets start with some facts:
    1. The Spy agencies in NZ, UK, USA, Australia and Canada spy on everyone, even their own citizens. 2. The UK copies literally everything that traverses the Internet and keeps it for 3 days for analysis (EVERYTHING!) 3. The USA shares this information (including commercial secrets) with its private enterprises to help them win international business. 4. So many people work for these agencies that from time to time this information is made public. 5. Nobody really cares. 6. The chances of any of these organisations giving up such a valuable source of power are about the same as global nuclear disarmament 7. It’s only a matter of time until the local police have access to all this information. 8 . In 2001, as sysadmin of BSSC I could read the email of every teacher and every student at that school, without leaving a trace of evidence, nor with any fear of punishment for wrongdoing.

    So, I assert: You have no privacy online. You never really did. It was only by unspoken rule of sysadmins that we let you have the illusion of privacy. Ed Snowden betrayed sysadmins.

    Strangely, Google poise to release the most important advancement toward our goal of total access to information - a video camera strapped to every second person’s head (Google Glass), and people are up in arms (9) and so are the governments best poised to take advantage! (10).
    I think we’ve got it all wrong. Let’s stop bitching about this rampant surveillance and embrace it.

    Let’s get our spy agencies to make everything they’ve got available to everyone! Let’s mandate that every Google glass camera must be on all the time, every phone must have its microphone on all the time, every GPS recording its location and all this content uploading to the cloud!

    Information WANTS to be free! EVERYONE should have access to EVERYTHING!

    Then it will hardly be accessed, because if Facebook status updates have proven anything it’s that it’s no fun spying on all your friends if all they do all day is play Farmville.

    Finally, these civil libertarians realise that nobody really cares about them, or their “right to privacy”, and we will be able to make the most out of google glass (11).

    Sources:
    1. http://www.spiegel.de/international/world/interview-with-whistleblower-edward-snowden-on-global-spying-a-910006.html
    2. http://mashable.com/2013/06/21/gchq-spy-agency-taps-global-internet/
    3. http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html
    4. Bradley Manning, Edward Snowden
    5. http://www.news.com.au/
    6. http://io9.com/5969204/could-nuclear-disarmament-actually-increase-our-chance-of-an-apocalypse
    7. “if the information is there, it’s already collected, why not use it to prosecute the crime? Why are you protecting the guilty? If you’re innocent you will want us to use this information to exonerate you.”
    8. I read your email. Get over it.
    9. http://www.policymic.com/articles/29585/3-new-ways-google-glass-invades-your-privacy
    10. http://news.cnet.com/8301-1023_3-57591975-93/google-glass-privacy-concerns-persist-in-congress/
    11.