Insider Threats: Are Your Customers Prepared For Having An Edward Snowden On Staff?


When former government contractor Edward Snowden gained access to more than a dozen National Security Agency systems to pilfer potentially thousands of classified documents, his actions highlighted a number of fundamental security lapses. The proper technologies would have kept tabs on employee behavior and signaled a problem, experts told CRN.

Since the NSA security breach, much of the attention prompted by the subsequent data leaks understandably has been focused on the extent of the NSA's surveillance program. But solution providers tell CRN that the incident also has prompted some business owners to request ways to reduce insider threats. They want to quickly spot a rogue employee who steals files prior to their departure or block careless workers from mishandling data when sharing files with remote colleagues.

"If the organization is not really thinking about what is worth protecting, most of the time they're setting themselves up for failure," said Chris Camejo, director of consulting and professional services at NTT Com Security, Bloomfield, Conn. "Conducting an assessment to determine what information is your most valuable asset, where it resides and who owns it is a good place to start."

The NSA leaks are the latest in a long line of high-profile security incidents that highlight insider threats. The security lapses often put the spotlight on the holes in fundamental security best practices, configuration weaknesses as well as security controls that may have been in place to prevent an incident but simply weren't being monitored, Camejo said. Too often, experts say, access control is not being proactively maintained, passwords are inadequate, and role-based management is not automated when an employee moves to a new position but maintains access to systems he or she no longer needs.

In 2008, a disgruntled IT administrator for the city of San Francisco held the city hostage for days, holding the passwords to the city systems that are critical to day-to-day operations. After hearing his job was in jeopardy, the worker created his own passwords to the network and blocked others from gaining access to email, payroll and other systems. The employee only gave them up after the mayor visited his jail cell and pleaded with him.

The incident highlights the need of activity monitoring -- checks on critical system logs by multiple people are necessary to prevent an incident, said J.J. Thompson, managing director and CEO of Indianapolis-based security consultancy and managed security service provider Rook Security. Someone needs to ensure that IT security isn't asleep at the wheel, Thompson said.

"We're gluing together the events and incidents being spit out of devices to find indicators of compromise," Thompson said. "Our clients are more concerned than ever and they want to know what anomalous activity is occurring."

One solution provider conducting the computer forensics investigation following a major breach at a financial firm said a monitoring system that triggered an alert on suspicious activity sent it to an email account of the former employee who set up the system. The mailbox was full of alerts generated by the system. Simply configuring it to send an alert to another source could have stopped an employee from stealing millions of dollars, the consultant told CRN.

"It happens all the time," said the consultant, who wished to remain anonymous. "Companies gain a false sense of security when they deploy systems, but ultimately all they get is a shiny new box that doesn't get the attention it truly needs."

NEXT: Research Reports Tally Up The Toll