CISO fodder: Two lessons from the Snowden case

The Edward Snowden leak is epic in proportion.  It’s been all over the news.  If you are like my wife, you’re sick of seeing the 24x7 news coverage.  I’ve talked to several corporate security professionals who look at the Snowden case and count the ways the situation doesn’t apply to them.  That’s a mistake.  There are two quick lessons to be learned from this situation.  Now (while it’s all over the news) is the time to review your security controls.

Why should you care?

Even if you don’t process classified information, your intellectual property is definitely worth protecting.  You don’t want it to be stolen by a disgruntled employee or financially motivated insider.  By studying this leak, you can apply some lessons learned to your own networks.

Lesson One: Auditing

First, examine auditing in your environment.  You have to trust your users, and you have to trust your systems administrators even more.  After all, they have the keys to the kingdom. But who watches the systems administrators?  Many organizations I’ve had the pleasure of working with audit administrator activity on a periodic basis (often monthly).  In the Snowden case, monthly auditing may have failed to detect the copying of documents to removable media (remember, he only worked there a month).  Frequent monitoring is critical to detecting insider threats moving data out of the network.

Lesson Two: Separation of Duties

But what happens when you have an employee who exhibits no signs of mistrust until the one time he walks off with a USB drive full of documents?  Is real time monitoring the answer?  Yes and no.  Real time monitoring is a goal we should all strive to achieve for the sake of security.  However, a complimentary solution involves separation of duties.  Restrict the number of domain/enterprise administrators (the number should be approaching zero).  Require two person integrity for certain operations.  It’s much easier for one person to steal something than two people to collude to steal the same data.

Despite this being an obvious best practice, I don’t see it done often.  I see it done right even less frequently.  Why don’t we see more separation of duties?  It’s inconvenient.  It also appears to increase IT costs.. 

Example Separation

One easy separation is to ensure that desktop admins can’t bypass the DLP software (by restricting access to the DLP server).  If the helpdesk requires this permission, during off hours, then create a cadre of trusted agents who will serve as the authorizing party for DLP bypass (and audit the trusted agents).  Note to the reader: here’s that frequent auditing theme again.

Conclusion

There are many more examples like this.  Yes, they require policies to be written and adhered to.  Yes, they increase IT burden.  Yes, occasionally the policies themselves will lengthen problem resolution times.  With the wrong IT team, it can lead to serious finger pointing during outage resolution.  But on the whole, your security is worth it.  Come up with sensible policies and get buy in from IT team members.  Team members are far less likely to implement policies when they don’t understand the problem.