How Edward Snowden roamed the National Security Agency network, stealing documents that would later be released to select media, raises a number of red flags chief security officers should pay attention to, experts say.
While working as an NSA contractor, Snowden used the passwords of other employees and hacked firewalls to enter classified computer systems, The New York Times reported over the weekend. His network movements were not monitored, because the NSA was several months away from turning on tracking software that would trace the activity of employees at the Hawaii facility where Snowden worked.
Media reports on NSA spying based on documents taken by Snowden started in June, sparking an intense national debate on the NSA's collection of massive amounts of data on the Internet activity of Americans and foreigners. Lawmakers have introduced bills in Congress to rein in the NSA.
Law enforcement and intelligence investigators told The Times that they might never have a full tally of the classified information taken by Snowden. He is living and working in Russia, which has granted him asylum for one year.
While the investigation into Snowden continues, experts said Monday that what is known so far should be enough to get CSOs thinking about securing computer systems against malicious insiders.
Too many corporate networks are designed to block intruders from the outside, but don't do enough to catch people stealing data from the inside, either for financial gain or out of revenge for not getting a raise or a promotion.
"They're kind of like an egg," Stephen Perciballi, category leader for security solutions at Softchoice, said of a lot of networks. "It may be somewhat difficult for an outsider to get in, but once you're in there, you can move around quite fluidly."
To catch malicious behavior from the inside, Zak Dehlawi, senior security engineer at Security Innovation, suggested intrusion detection systems (IDS) that are statistical-based. Such systems take a baseline measurement of normal network and computer activity and alert security pros to any deviations, such as increases or decreases in network traffic or strange IP addresses.
However, these systems require constant tuning, since what's normal will vary according to the time of day or year, Dehlawi said.
"Even worse, is if a baseline measurement is taken while an attack is in progress," he said. "From that point on, the attack traffic will be considered normal traffic and will not trigger the IDS."
A relatively new technology that may be useful once it matures is called "behavioral modeling," Kevin Coleman, strategic management adviser on critical technology issues at IT services company SilverRhino, said. Such technology knows how each employee normally uses computer systems and networks and reports all abnormal behavior.
While the technology holds promise, it's not quite ready for the enterprise, Coleman said. "It hasn't, in my opinion, been proven yet to the point where I would be willing to say it's a ready-for-primetime technology."
Snowden using other people's passwords to access classified networks did not surprise experts. Many corporate employees, including IT staff, share passwords with people in their own department.
Within an IT department, a system administrator will sometimes share his password with people who need access to servers, Paul Martini, chief executive of network security company iboss, said.
Putting stricter policies in place that prevent password sharing, particularly for accounts held by administrators, would improve security, Martini said. Another best practice would include compartmentalizing the network, and giving people access only to the areas that they need to be in to do their job.
"It seems obvious, but not every IT personnel, even at the higher level, should have access to certain passwords or (critical) systems," Martini said.
Technically speaking, experts did not believe Snowden had hacked any firewalls to enter certain parts of the NSA system, as reported by The Times.
Instead, Snowden might have found an open port going through a firewall or broke into a network that was trusted by another network, Ron Gula, chief executive officer of Tenable Network Security, said.
"It's very unlikely that he broke into a firewall and then perhaps configured the firewall to give him access," Gula said. "It was much more likely he just found a port to talk to a server on the other side of that firewall."