Not another insider attack? What a surprise!
Spying is not really news, and neither is another 'insider' abusing privileges to steal data, says Calum MacLeod
After spending five weeks at Moscow Airport, Edward Snowden has been granted the necessary documents to stay in Russia.
Wherever he is, I have become relatively blasé when hearing about yet another security breach, or of stories that Big Brother is watching us.
It's almost like a traffic policeman going to the press and saying that speeding fines are like a money-making racket! As if the average person in the street is going to be surprised.
The rather predictable shock and protests from certain EU governments that the US government was eavesdropping is really a case of the pot calling the kettle black.
For those old enough to remember the last century, the French government admitted to being actively involved in extensive international spying to try to give French companies an advantage in the international market.
So it seems that when French president Francois Hollande made allegations that US-bugged European embassies could threaten a huge EU-US trade deal plan, and that there could be no negotiations without guarantees that the spying would stop immediately, he seemed to conveniently forget that the French government has been doing the same thing for years.
Maybe he just didn't like the idea of a level playing field.
In fact, one of the earliest examples of industrial espionage occurred at the beginning of the 18th century when the French stole porcelain-making methods from the Chinese. What goes around comes around, as they say.
During the early 1990s, France was described by some as one of the most aggressive perpetrators of industrial espionage, and it seems like the Americans and the French have been doing battle for years. And it's not just these two countries that have either been suspected or even caught red handed – they're pretty much all at it.
In fact, the Chinese government must be enjoying this period of relative tranquility since it is usually blamed for everything.
So spying is not really news, and neither is yet another "insider" abusing privileged access to steal confidential data from IT systems.
According to NSA director Keith Alexander, Snowden "fabricated digital keys" that gave him access to areas way above his clearance as a low-level contractor and systems administrator. Now I'm sorry, but anyone stupid enough to decide that an airport was the place to settle down cannot be that clever.
Or maybe he thought that having seen Tom Hanks' movie The Terminal, he'd have a Catherine Zeta-Jones moment and try the chat-up line "Would you like an eat to bite?".
Who knows, but anyone who has the slightest understanding of digital keys will know that you don't simply fabricate them.
By now you would think that every organisation, whether governmental or private sector, would have realised that protecting passwords and keys is an absolute essential. Additionally, technology that monitors the activity of systems administrators has been around for years.
The problem frequently starts with the failure of organisations to know where the accounts are throughout the infrastructure. For example, all Windows systems have service accounts, scheduler task Accounts, COM+ accounts, IIS6 metabase accounts, IIS7 accounts, and so on. It's not just simply the administrator accounts.
An example of how easy it can be to circumvent policies is what happens when IT support departments are pressed to solve a problem. Take for example a situation where a user is unable to gain administrative access to their systems.
The workaround is to call the IT department, which will have a solution. Very often IT will have set up an account that allows admin access to every machine, and once this is given to the user, unless it is immediately changed, the user has unlimited access.
More disturbing is the question of who the IT administrator is. Yet the same organisation will most likely have spent a fortune on perimeter security, blocking loads of malicious websites, and constantly reminding its staff of the dangers of malware.
What this shows is the massive risk that organisations take if they do not control access to privileged accounts. In the case in point, not only should the IT support department have required an audited approval process to gain access to the "backdoor" password, but once accessed it should have immediately been changed.
It's all about the passwords and keys.
Regardless of who has it, any security credential needs to be managed. It starts with privileged identity that provides the access to a multitude of the "keys to the kingdom". Without properly managed and secure control of the credential that gives privileged access, everything underneath becomes vulnerable.
As in the example of the NSA, it would appear that badly managed passwords and keys gave Snowden the access he needed to discover SSL keys, SSH keys, symmetric keys, and other passwords.
Having good processes for your SSL, SSH and symmetric keys is all well and good, but ultimately flawed if you do not control your privileged accounts.
It may very well have been that Snowden simply asked the NSA IT support department to enable him to install or uninstall something on his laptop.
So what are some simple and practical steps you should be considering?
• Ensure all privileged accounts are locked down and remember that we're not simply talking about admin or root.
• Always rotate passwords immediately after use for any shared accounts, especially if the same password is used on multiple systems.
• Control access to privileged passwords, including service accounts and enforce an audited check-in and check-out policy.
• Encrypt all keys or passwords stored in repositories with an approval workflow to allow access.
• Try to avoid using the same password across multiple systems, and change passwords on a regular basis, especially when staff move.
• Whenever possible ensure that keys and passwords cannot be reused.
Finally, my advice to Mr Snowden would be to watch another Tom Hanks movie called Castaway. That may be his safest bet as far as a good location goes, and maybe Mr Hollande will want to check the origins of the word "espionage". It's always good to count the cost before you start something.
Calum McLeod is EMEA vice president at Lieberman Software