The Trusted Insider – Is Edward Snowden a Hero or a Traitor?
Joe Carson
With Hollywood about to tell us the story, we will soon be reminded about the massive government surveillance program revealed by Edward Snowden. As we all remember, in 2013, Snowden revealed and leaked sensitive and classified information to several journalists. Currently in asylum within Russia, Snowden has been charged with theft of government property, unauthorized communication of national defense information and willful communication of classified intelligence to an unauthorized person.
This example is a classic reminder of how powerful and impactful a trusted insider can become by elevating privileges and leaking sensitive data undetected. This act has been a huge controversy for years and it has been debated whether or not Snowden is a hero, a whistleblower, a patriot or a traitor. It has always been assumed by hackers for many years that governments have been performing massive surveillance, however, it was never confirmed until Snowden revealed sensitive documents that provided the truth of its existence and started major debates over government surveillance, encryption, national security and privacy.
It has also been a topic of recent debates with the recent case between the FBI and Apple in relation to unlocking an iPhone. Let us not forget the revelations and disclosure of the NSA hacking tools that are now available online to almost every hacker and cyber-criminal. These can be used maliciously against those that they had been used for national security purposes or intelligence gathering on other nation states.
Thycotic’s most recent survey of hackers at the Black Hat Conference, August 3 to 4 in Las Vegas shows overwhelming support for data privacy among respondents yet in a seeming contradiction of their own beliefs, half said they would be willing to hack your password for a fee if asked by the FBI. This in the context of a recent controversy when the FBI hired a third-party to help crack the password for the iPhone of a shooting suspect after Apple refused to help on grounds of protecting privacy.
In the same Black Hat survey, nearly one-third of hackers believe that the government decrypting our data will cause more harm than good. 40% believe if the FBI can do it (as they did in the Apple iPhone case), anyone can get access. In addition, 42% of hackers surveyed believe that the government has been hacking and spying on our personal data for years. However, only now is this practice getting noticed. The result is that 77% don’t believe any password is safe from hackers.
The U.S. presidential election this year has also been a focus and target for cyber security attacks with much debate over the benefit of government surveillance programs, encryption and privacy. Some presidential candidates have been going as far as to saying that the government should have back doors into citizens devices and data. The significant difference in this particular presidential election has been the interference from foreign nation states, such as the hacking of the Democratic National Committee servers, which have been closely linked to Russia. Again, playing out like a Hollywood movie.
The method in which Edward Snowden was able to perform his malicious insider actions should be a major reminder for all organizations and governments globally which should raise the question: What can trusted insiders do with privileged credentials and accounts?
The exact method has never been disclosed, but from various public comments, it is widely believed that Snowden was able to create a privileged account and then fabricate Secure Shell (SSH) keys that were then used to latterly move to unauthorized systems containing sensitive data and ultimately use encryption to extract the data. Moving forward, we need to remove these security risks by minimizing administrator privileges consistent permissions and achieve dynamic privilege elevation and least privilege to be default. This clearly is one of the most significant failures for many organizations and governments.
It is imperative to identity what privileged accounts mean to your company. Ask yourself the following questions to find out:
- What is a privileged account?
- Where are privileged accounts located?
- Who has access to privileged accounts?
- Do you have contractors accessing privileged accounts?
- When are privileged accounts used?
- What is the risk of privileged accounts being used by an external attacker?
- What is the risk of privileged accounts being used by an insider?
- Do you have a IT Security Policy covering privileged accounts in place?
- Are government and industry regulations applicable?
- Are you actively reporting on privileged account use and exposure?
Once you have identified what a privileged account means for your organization, the next step is to reduce the risk and get in control by implementing strong Privileged Account Management solutions and processes:
- Educate employees on the risks and responsibilities of privileged accounts
- Automate the management of Privileged Accounts and SSH keys using a dedicated enterprise Privileged Account Management (PAM) Solution
- Change Default ID’s and passwords and check aging, integrity and validation
- Formal and enforced password policy for privileged accounts
- Do NOT allow direct sharing of Privileged Accounts. Privileged Accounts should be assigned and delegated with expirations with limitations on disclosure
- Creation of Privileged Accounts should require approval
- Privileged Accounts should be on demand only and used only when permitted with required change process
- All accounts should have expiration dates set
- All activity of Privileged Accounts should be audited
- Proactively discover privileged accounts and monitor for discrepancies and changes
Whether or not Edward Snowden is a hero or traitor will continue to be debated. However, the major reminder here is to reduce the risk of both external attackers and trusted insiders by providing adequate security that applies Least Privilege Strategy, removes administrator privileges and limits overall administrator access to systems.