Monday, June 6, 2016

Trust us, we're auditing accesses to your data - but we can't find our own data

You should read the VICE story on the new releases they've obtained in relation to the Snowden disclosures.  One big takeaway is that internally, NSA consistently wasn't sure what it did and didn't have in regards to data about what Snowden communicated, to whom, and when about possible abuses of authority.

But even with the data now released, Snowden himself is not happy.  He notes that none of his pre-2013 email was released.  He also notes that NSA also didn't release any of his Jabber, IRC, or Lync conversations about legality questions.


When I first read that, I'll admit that I wondered how much IRC data would have been logged for possible inspection and retrieval later.  But then I thought about records retention.  Instant messaging, if used for mission purposes (which these surely would have been considered) would be official records and would have a required retention under some official records act.  Thanks mandatory training, you saved me (this one time).  My training fails me as to whether the required retention period is one year, two years, or five years.  That doesn't really matter at the end of the day - at the time of the disclosure (June 2013), NSA should have moved to preserve that data, understanding its obvious relevance.

Bulk data/metadata collection 
I find it interesting that the NSA says "trust us, we need this data - only a handful of analysts have access to it, and we have bulletproof auditing on it."  But then consider that the NSA can't audit and preserve their own critical records for their own internal investigations.  It's a challenging position to be sure and I'm frankly surprised more aren't talking about this apparent contradiction.

*Note: I fully believe the accounts that NSA audits access to highly critical data. I'm not calling those claims false. I'm only questioning the integrity/completeness of said audits if they can't locate their own highly critical data on Snowden.

Preparing for your organizations' "Snowden"
It's easy to jump on NSA for not preserving potentially relevant data (as Snowden claims), but they had budget issues and a high mission tempo - just like every business I ever work with.  In fantasy land, we have infinite storage, epic e-Discovery search systems, and a magic fairy to locate and preserve all relevant data.  But in reality land, we have to deal with aging heterogenous systems and inadequate storage.

When working with customers at Rendition Infosec, I highly recommend that organizations consider how they would deal with a whistleblower or a malicious insider.  The answer largely has to do with understanding the damage - what did the user have access to and what did they actually access. At this point in a tabletop exercise we start talking about what logs are enabled, on which systems, and what the retention for those logs is like.  And don't just talk about it.  Take a sampling of logs to separate truth from fiction.  Often, the real state shocks management and cause a rude awakening.

Whether your organization ever has a "Snowden Level Event" the likelihood is that you will eventually face a preservation order or a demand for data.  In that case, you want to be ready to act rather than learning you lack key logs (audit trails) that may contain critical evidence.  If you are unsure how to prepare, talk to a professional so you don't end up like NSA - scrambling to locate relevant data.