With Hollywood about to tell us the story, we will soon be reminded about the massive government surveillance program revealed by Edward Snowden. As we all remember, in 2013, Snowden revealed and leaked sensitive and classified information to several journalists. Currently in asylum within Russia, Snowden has been charged with theft of government property, unauthorized communication of national defense information and willful communication of classified intelligence to an unauthorized person.
This example is a classic reminder of how powerful and impactful a trusted insider can become by elevating privileges and leaking sensitive data undetected. This act has been a huge controversy for years and it has been debated whether or not Snowden is a hero, a whistleblower, a patriot or a traitor. It has always been assumed by hackers for many years that governments have been performing massive surveillance, however, it was never confirmed until Snowden revealed sensitive documents that provided the truth of its existence and started major debates over government surveillance, encryption, national security and privacy.
It has also been a topic of recent debates with the recent case between the FBI and Apple in relation to unlocking an iPhone. Let us not forget the revelations and disclosure of the NSA hacking tools that are now available online to almost every hacker and cyber-criminal. These can be used maliciously against those that they had been used for national security purposes or intelligence gathering on other nation states.
Thycotic’s most recent survey of hackers at the Black Hat Conference, August 3 to 4 in Las Vegas shows overwhelming support for data privacy among respondents yet in a seeming contradiction of their own beliefs, half said they would be willing to hack your password for a fee if asked by the FBI. This in the context of a recent controversy when the FBI hired a third-party to help crack the password for the iPhone of a shooting suspect after Apple refused to help on grounds of protecting privacy.
In the same Black Hat survey, nearly one-third of hackers believe that the government decrypting our data will cause more harm than good. 40% believe if the FBI can do it (as they did in the Apple iPhone case), anyone can get access. In addition, 42% of hackers surveyed believe that the government has been hacking and spying on our personal data for years. However, only now is this practice getting noticed. The result is that 77% don’t believe any password is safe from hackers.
The U.S. presidential election this year has also been a focus and target for cyber security attacks with much debate over the benefit of government surveillance programs, encryption and privacy. Some presidential candidates have been going as far as to saying that the government should have back doors into citizens devices and data. The significant difference in this particular presidential election has been the interference from foreign nation states, such as the hacking of the Democratic National Committee servers, which have been closely linked to Russia. Again, playing out like a Hollywood movie.
The method in which Edward Snowden was able to perform his malicious insider actions should be a major reminder for all organizations and governments globally which should raise the question: What can trusted insiders do with privileged credentials and accounts?
The exact method has never been disclosed, but from various public comments, it is widely believed that Snowden was able to create a privileged account and then fabricate Secure Shell (SSH) keys that were then used to latterly move to unauthorized systems containing sensitive data and ultimately use encryption to extract the data. Moving forward, we need to remove these security risks by minimizing administrator privileges consistent permissions and achieve dynamic privilege elevation and least privilege to be default. This clearly is one of the most significant failures for many organizations and governments.
It is imperative to identity what privileged accounts mean to your company. Ask yourself the following questions to find out:
Once you have identified what a privileged account means for your organization, the next step is to reduce the risk and get in control by implementing strong Privileged Account Management solutions and processes:
Whether or not Edward Snowden is a hero or traitor will continue to be debated. However, the major reminder here is to reduce the risk of both external attackers and trusted insiders by providing adequate security that applies Least Privilege Strategy, removes administrator privileges and limits overall administrator access to systems.