News Column

How Low-level Insider Could Steal From NSA

June 12, 2013

Edward Snowden's ability to extract sensitive data from the National Security Agency, working as a low-level contract consultant, comes as no surprise to the security community.

Security experts say Snowden, a Booz Allen Hamilton network analyst in Hawaii, had the technical savvy to take full advantage of two major security challenges all organizations face: managing privileged accounts and keeping PCs, databases and applications updated with the latest security patches.

"Digital assets are all plugged into an amazingly complex infrastructure," says Mike Lloyd, chief technology officer at network security firm RedSeal Networks. "Even diligent defenders struggle to keep up with all the latest weaknesses, and the dizzying interactions between interdependent systems and layers. We cannot defend what we cannot understand."

Snowden claims to have a long history of working as an IT specialist, including stints as a systems engineer, systems administrator, a senior adviser for the CIA and a telecommunications officer.

As Snowden told The Guardian in a videotaped interview: "When you're in positions of privileged access, like a systems administrator, for these sort of intelligence community agencies, you're exposed to a lot more information on a broader scale than the average employee. ... Anybody in the positions of access with the technical capabilities that I had could, you know, suck out secrets."

Although details of how he did it aren't yet clear, Snowden would have been well aware of "privileged accounts," the logons that give administrative access to any device with a microprocessor, including PCs, servers, databases and copiers.

An unscrupulous insider can easily roam far and wide inside a network. Such accounts function, in effect, as master keys to the deepest, most sensitive digital assets. A recent survey by Cyber-Ark Software found that 86% of large enterprise organizations either do not know or underestimate the number of privileged accounts incorporated into their networks.

Snowden claimed that he could wiretap anyone's phone and had access to information showing wide-ranging "abuses." He publicly released PowerPoint slides depicting PRISM, a secret program that mines data on individuals' online behavior contributed by Google, Microsoft, Facebook, Apple and PalTalk.

He also claimed to possess the "full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world."

Agency investigators now should be able to trace Snowden's Internet activities and determine the true extent of his infiltration of sensitive material, says Wade Williamson, senior security analyst at firewall company Palo Alto Networks. It's a big leap from stealing classified PowerPoint slides to wire-tapping phones and accessing dossiers for spies and other agency personnel. And the NSA presumably segmented access to very sensitive data, Williamson says.

Snowden also might have taken advantage of the agency's process for installing security patches. Corporations and big agencies struggle with installing patches for computer operating systems and applications. The ideal -- rarely met -- is to install all critical security patches within 48 hours, says Wolfgang Kandek, chief technology officer at patch management firm Qualys.

A savvy insider would be familiar with the lags, and could move to "gain administrative privileges on an unpatched machine and then begin to look around the network to see what else you can find," Kandek says.

Udi Mokady, CEO of Cyber-Ark, which supplies technology to manage privileged accounts, says he was not surprised that an analyst working from Hawaii was able to take advantage of network weaknesses.

"It's a dirty secret in IT that you can have thousands of people in the IT layer with the ability to survey all of your data," Mokady says. Based on what Snowden said in his video interview, "it makes full sense that he abused his administrative rights."

The NSA should have screened Snowden more thoroughly, says Joelle Scott of Corporate Resolutions, a security consulting firm.

"What's most shocking is that there was a lack of proper internal controls," Scott says.

Source: Copyright USA TODAY 2013. Distributed by MCT Information Services

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters