How the NSA "Should" have prevented the Snowden fiasco

For a moment, let’s put aside the fundamental discussion about what information the NSA is or should be collecting. Let’s focus on the actual actions Edward Snowden seemingly took, according to what information is being released and how NSA should have handled the situation differently.

First, let’s look at who the NSA is and what they are responsible for. I went to the NSA’s website (http://www.nsa.gov/) and Wikipedia for guidance.  The NSA’s mission as stated on their website, “The NSA/CSS core missions are to protect U.S. national security systems and to produce foreign signals intelligence information.” I’m going to make an assumption here and state that the NSA does not have common restraints such as lack of resources or funds in order to protect the U.S.’s security systems.

If I were designing the infrastructure for the NSA, I would take a layered approach.

·         Implement an IDS (Intrusion Detection System). Your thought might be, well that’s great – that keeps the bad guys from getting in and while that is true, it can also prevents data from getting out without being detected as well.

·         Create zones for data based upon sensitivity.

·         Within the individual zones, separate servers from workstations into individual subnets so that data flow can be monitored and contained within the individual zones.

·         Limit open firewall ports to only those necessary and monitored.

·         Monitor typical traffic patterns between environments.

o   Report any irregularities and investigate.

·         Limit the subnets and IP addresses that can communicate with each.

·         LOG Entries.

o   Limit who can erase logs. This is a simple check mark in a group policy. Not rocket science.

o   Have a person NOT providing a specific function reviewing the logs and running correlations.

·         Implement Separation of Duty steps. Continued, daily “need to know or need to access” should be considered when advanced or privileged permissions are assigned. If that level of access cannot be confirmed, have the person open a ticket for access, get approval from a supervisor and then revoke within a short and reasonable period of time.

·         Limit screen capture ability.

·         Disable ALL USB drive access. Yes, USB devices make jobs easier for Admins but for the very reason that it’s small and can be used to remove data, it should not be allowed.

·         Create an Exceptions list for any access or transfers.

o   Have a responsible party reviewing and approving the exceptions lists.

·         Limit FTP (File transfers) from sensitive subnets.

·         Implement a data governance program that includes a risk matrix and timely reviews.

o   Provide reports to an audit function outside of technology. While this may prompt some needless questions or explanations, it also places scrutiny on the environment.

·         Eliminate generic accounts. DOCUMENT AND REVIEW ALL EXCEPTIONS.

·         Limit service accounts to running services and implement “DO NOT ALLOW LOGON” through Group Policies. Have regular reviews of the service accounts and their scope.

These solutions have NOTHING to do with the age of the systems at the NSA. That’s a whole other discussion around patching, maintenance, business continuity. All of the above items can be implemented with 2003 technology. The IDS is the only exception.

Next, let’s look at Snowden’s job. He was a System Administrator. By definition, system administrators are responsible for safeguarding the infrastructure systems. They do NOT own data. They are not system owners. They are not information owners. System Administrators are not even responsible for safeguarding the data. That role is held by a Database or Data Administrator.  I saw an article that said that as System Administrator, you ARE the auditor. That is simply not the case. That should never be the case in a regulated industry and that certainly should never be the case where our country’s secrets are concerned. That Sys Admin had a supervisor. That supervisor should have been alerted by any number of incidents that occurred.

·         Implement Role-Based Security. In this way, Sys Admins are restricted to the environments they regularly work. Implement policies and procedures to limit access.

·         It IS possible to logically limit what one can access and still do their jobs. Does it make their job more complicated? If the environment is not adequately architected, yes.

o   Restrict who can add who users to what security groups,

o   Restrict firewall people from servers from databases and visa versa,

Another article spoke of Snowden’s physical location being an advantage to him. He worked off-site. While this may seem to be logical, it simply isn’t true that that gave him an advantage. That means that his machine’s connectivity came from an external IP address. That information would have to pass through an additional device that logged the info. Why would someone, working externally, need to download Mbytes or Tbytes of data to his machine? Troubleshooting? NO. Absolutely not. I’ve worked in technology for over 30 years. There has never been an event that prompted me as an Engineer or Sys Admin to download data from a server to my own workstation. Never.

I have a mantra, “Trust, but confirm.” This isn’t because I don’t trust people. I don’t believe in putting temptation into people’s hands. When I started working in technology many years ago, there was an unspoken rule – “Never give anyone any reason to question your integrity”.  IT people, by the nature of the job that we do, have access to data. The best thing a security-minded manager can do is limit unnecessary access so that no one is tempted to breach their employer’s trust. If that means implementing more controls than an average business may have, so be it. Putting better controls and a review process in place COULD have prevented our country being unhinged by the scandal.

The bottom line for me is that the NSA has resources the average company cannot begin to compare to, but yet, there were insufficient reviews or controls to “watch the watchers”. The lack of proper security tools, processes, policies and procedures created this fiasco, not a cowboy sys admin. He simply took advantage of the lapses. Quit with the excuses and fix the environment.

If you aren’t necessarily confident that a layered security model is implemented in your environment, give CGSolutions of Jax a call. We have resources and partners who can help secure your environment. It isn’t rocket science.