Snowden Case Highlights Risk of Internal Security Threats

As the world waits to see which country will offer asylum to NSA (National Security Agency) leaker Edward Snowden, many CIOs and IT security managers are nervously reviewing their internal security policies. Snowden, who worked as a system administrator for an NSA contractor, has cast doubt on the trust placed in IT staff.

As a recent New York Times article points out, IT personnel are in the ideal position to steal company secrets or leak sensitive information. Business owners and managers don’t like to think that their employees might go rogue, but employees armed with access to mission-critical systems and data can do a lot of damage.

System administrators with complete access to servers and data probably pose the greatest internal threat if they turn against the company. However, everyone from admins up to executives can threaten security and data if they maintain excessive access rights after changing positions or taking on different roles.

Shared access is another problem. System administrators often resort to using generic passwords for servers, and share a single password among all IT staff administering those systems. This increases the risk of an external attack and enables too many users to gain access to privileged resources. All too often, server passwords aren’t changed when an employee leaves the company, leaving critical resources exposed.

Gen. Keith B. Alexander, director of the NSA, has said that his agency will adopt a “buddy system” that will require a second person to check each attempt to access sensitive information, limiting the ability of one rogue system administrator to gain unfettered access. Here are five additional steps organizations can take to minimize internal security threats:

  • Adopt a “least privilege” security posture that gives each employee the least privilege necessary to accomplish required tasks. Assign access rights to users based upon well-defined roles, and revoke inappropriate rights whenever an employee changes roles.
  • Limit access to administrator and/or root accounts. Make sure that the passwords to these accounts are not shared and are changed frequently. Implement controls to limit and track their use.
  • Embrace an access review policy. Dynamically link access privileges to human resources and staffing databases to prevent access creep. Regular, automated access alerts should notify two or more administrators of access changes, employee changes or other critical issues. Notifying more than one administrator helps overcome negligence.
  • Lock the front door by fostering education, encouraging diligence and developing processes such as regularly changed passwords. Employee education can cover the logistics and basics of security, and also address topics such as the psychology and known techniques of social engineering hacks.
  • Achieve compliance by implementing access control and separation of duties practices and technologies. Develop, implement and enforce secure policies related to all system access. Provide a complete audit trail of policy and activities and eliminate non-compliant login practices.

Negligence typically is an offense committed by management when “they should have known better.” Most successful data security breaches have some element of managerial negligence associated with them. By taking these steps, business owners and managers can lessen the risk of an internal security breach.