Lessons from the biggest security hack in history
Edward Snowden is currently touring European web security events and is due to appear at the Future of Cyber Security Europe conference in London next month.
Anyone expecting to see him in the flesh will be disappointed, however, as he will likely be appearing by video link from his Russian bolthole, having made some incredibly powerful US officials unimaginably angry after leaking an estimated 20,000 top secret government files in 2013.
Here’s what the businesses can learn from his exploits.
# 1 | Don’t skimp on security for contractors
Snowden was working as a security consultant rather than a full-time employee at the US National Security Agency (NSA) when he stole secret data. What’s more, he was more than 5,000 miles and six time zones away from the NSA headquarters when he struck.
This means he was away from prying eyes and was able to access files when most of his full-time colleagues had gone home after a hard day’s work. He was also easily able to download thousands of files from his supposedly secure computer and onto USB stick drives without his full-time colleagues challenging his activity or office door security asking what was on the storage devices.
Officials say that if Snowden had been working from NSA headquarters, which is equipped with monitors designed to detect when large amounts of data are being accessed and downloaded, he would have been caught.
Soon after the scandal broke US intelligence officials said they planned to drastically reduce the 1,000 NSA employees with administrator status, many of them, contractors. But by that time, it was too late.
For Paul Leybourne, Head of Sales at Vodat International, the take-home message is, you can spend huge amounts of money on firewalls and external security, but this is money wasted if you don’t also monitor for potential internal threats and contractors and their IT systems can often be a weak link in the cybersecurity chain.
# 2 | You must configure your network properly
Despite being a consultant, Snowden was given unfettered admin access to the entire NSA network. This meant he had unlimited freedom to view and copy whatever files he wanted, and no record was kept of the information he accessed. He was also able to access the NSA’s intranet, again without leaving a trace.
Snowden was essentially a ‘ghost user’. Worse than that he could have posed as another user to implicate them in the breach. This breached three key rules:
- Network segmentation. Best practice is to group applications and databases together depending on how sensitive or business critical they are and then keep them together on specific virtual local area networks within your system. Once important functionality is isolated it’s possible to monitor usage more easily and strictly limit traffic.
- Role-based access. Simply put, you should only grant access to specific parts of your network to colleagues who need it. To achieve this an administrator should either approve or deny access rights based on an employee’s function.
- Apply granular controls. Once your network is segmented you can finely tune your settings so that your system is optimized further. For example, fine-tuning a rule that states “Only customer service reps may access customer profiles” to “only customer reps that handle sales or refunds may access customer profile information”.
# 3 | Monitor network activity automatically
Rather than downloading 20,000 top secret files manually, Snowden used a program called a web crawler, like those used by Google’s search engine, to move automatically around the NSA’s servers looking for specific data in individual files and then copy them. While he was looking for examples of US government wrongdoing, cybercriminals may look for customers payment data should they (heaven forbid) breach your server.
It’s estimated that Snowden accessed around 1.7 million files in this way without ever being detected. Nobody can explain how a web crawler was able to work within such a sensitive government network without being identified.
Whatever you think of online whistleblowers like Snowden, heroes or villains, it’s clear their activities still have a lot to teach tech leaders about cybersecurity and the risks posed by hackers.
3 April 2020
2 April 2020