I recently stumbled across an article in Dark Reading entitled “How Did Snowden Do It?” The piece does a great job pointing out how failures in authentication allowed Snowden to gain access to sensitive data repositories, acting both as himself and impersonating other privileged users.
The author states that Snowden a.) used social-engineering to convince co-workers to share their credentials, and b.) fabricated SSH keys, allowing him to jump from one system to another.
While this does strongly suggest a major internal security failure, it shouldn’t have been enough of a failure to allow Snowden to inflict as much damage as he did.
Authentication is your first line of defense, but it shouldn’t be your only line. At Varonis, we always talk about the 4 As: authentication, authorization, auditing, and alerting. Dark Reading covered the authentication failure, but let’s take a look at the layers one-by-one.
If authentication breaks down, authorization—i.e., controlling who should have access to data— limits the amount of data an attacker can get their hands on. It would appear that in the Snowden case, privileged IT users had carte blanche access to business data. Was that an accepted practice? It seems so, but we don’t know for sure at this point. It’s quite possible the NSA didn’t have a map of permissions so that officials could visualize exactly what the IT staff (and other non-essential users) could read, modify, copy, or delete.
When there are petabytes of content across numerous platforms and thousands of users and groups with varying levels of access, organizations face a massive archeological project in learning the intended authorization levels, let alone the effectiveauthorizations (i.e., what people truly have access to). But this isn’t an acceptable excuse, especially for an intelligence agency with gobs of highly classified content. There are solutions available that can not only boil down effective permissions for you, but also provide automated recommendations for where you can tighten up access controls and help prioritize remediation efforts based on sensitivity levels.
You’re fairly confident that no unauthorized parties have access to your personal bank account, right? But how do you know this? The answer is that you (hopefully) have an audit trail. You can view each and every transaction on your ledger and validate that you were the one that authorized them.
It’s unclear whether the NSA was monitoring and logging access to their sensitive content, but public statements from officials indicate that they might be having some trouble piecing together a master list of digital assets that were stolen.
Audit logs are useful for much more than forensic investigations. Tracking actual access activity is fundamental in protecting content and detecting unwarranted or abnormal access. Even if Snowden commandeered SSH keys and was able to impersonate another user, the patterns of access for those identities likely would have changed as soon he started his exfiltration party. Of course, being a privileged user, Snowden might have known enough about the behavioral alarms to circumvent them.
Another key data protection mechanism, which is facilitated by auditing, is alerts. Sadly, most data breaches are detected and reported by third parties, not IT security. By employing algorithms that analyze access activity and send alerts when there are abnormal spikes or changes in behavior, organizations like the NSA could proactively investigate potential breaches and stop the bleeding.
In addition to behavioral alerts, known sensitive repositories should receive special attention—perhaps even throwing up alerts whenever any access occurs by administrative staff. This type of access-based alerting is great for setting uphoneypots, which are fantastic methods for detecting insider threats.
Putting it all together
Certainly there are more nuanced approaches to data security and insider threat protection that reach beyond the 4 As. However, the 4 As should be considered pillars in any organizations data protection playbook and can go a very long way to thwarting breaches.