Lessons for CSOs in Snowden exploit of NSA networks | Network World

While working as an NSA contractor, Snowden used the passwords of other employees and hacked firewalls to enter classified computer systems, The New York Times reported over the weekend. His network movements were not monitored, because the NSA was several months away from turning on tracking software that would trace the activity of employees at the Hawaii facility where Snowden worked.

...

While the investigation into Snowden continues, experts said Monday that what is known so far should be enough to get CSOs thinking about securing computer systems against malicious insiders.

Too many corporate networks are designed to block intruders from the outside, but don't do enough to catch people stealing data from the inside, either for financial gain or out of revenge for not getting a raise or a promotion.

Read the article, while it's nothing new, it gives you a good perspective of the problem I think the security world need to focus on, or actually needed to focus 10 years ago.

Defensive security and reactive security are no longer good solutions. They were maybe a plausible solution back in the late 90s / early 2000s. However, as many cases have proven, the worst problems are the insiders. Security and IT managers often think that once inside the innermost network, access should be allowed. Why not? I mean, these are employees and vetted contractors, right?

Wrong.

Having a flat network is dangerous. It will not only allow attackers that manage to breach the outer perimeter to move freely, but also any emplyoyee will be able to roam freely and access anything. And getting the right credentials to do this is not all that difficult.

After we perform an internal assessment, pretending to be either an attacker that managed to get physical access to the building and connecting to the inside network, or a disgruntled employee, we often provide these few points as a starting point to start building an internal security solution:

  1. Always act as if the network has been breached and an attacker is actively sitting inside the network.
  2. Compartmentalize the network. Segments should be planned and managed according to a very strict set to access rules.
  3. The default should be access denied and if access is needed, this should be carefully reviewed and set.
  4. Always encrypt data both in transit and at rest. Do not provide access to data unless strictly necessary.
  5. Have a well defined plan for an emergency response.
  6. Always have active network and log monitoring and have your emergency team actually manage this.
  7. Immediately remove users that no longer need access. Either network-wide (the employee no longer works at the company) or by segment (the employee no longer needs access to the data).

Once you have this in place, you can start planning the rest, from monitoring to access rights, from system interconnectivity to internet access.

The key here is point (1): Always act as if the network has been breached and an attacker is actively sitting inside the network.