Government // Cybersecurity
Commentary
7/14/2014
09:06 AM
Steve Jones
Steve Jones
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Government Security: Saying 'No' Doesn't Work

It's time for government agencies to move beyond draconian security rules and adopt anomaly analytics.

Governments are cautious. They love security rules and access management and generally lean towards saying "no" to most things. Some of that is certainly required, but Edward Snowden and other security breaches have shown that rules aren't actually very effective when dealing with social engineering attacks.

Edward Snowden, as an IT systems administrator employed by the National Security Agency, was allowed access to classified information as part of his job. His role and credentials meant that he was able to compromise sensitive NSA data, easily circumventing its advanced security systems, software, and policies without raising any eyebrows -- until it was too late.

As a graduate student, I worked in the defense sector. As a part of our training, my team was asked to experiment with some social engineering around people's passwords to see what would be revealed. We grabbed clipboards and ventured out into our organization to time how long it took employees to enter passwords. Looking over people's shoulders, we would start the stopwatch, mark down their username, and see if we could successfully figure out their passwords as they typed.

[Ready for the next hurricane? Read 5 Steps To Storm-Proof Your Data.]

If we couldn't figure out the password, we'd remark to these individuals how he or she had been particularly fast or slow with their password input and then ask them what their password was. A remarkable percentage of employees (more than 50%) gave us their passwords without ever questioning our motives.

What is the lesson here? This experiment revealed to us that social engineering remains one of the most effective ways to steal data, and that an internal threat (however small) is still a major threat vector for data loss. You can add as many access control, verification, and other secure technologies as you wish, but they will be rendered completely ineffective if someone either sets out to steal information or is successfully conned into giving up their credentials.

Within government departments, the overwhelming role of security teams appears to be the hackneyed "Just Say No" message trotted out by the anti-drug campaigns of the 80s. This has led to employees actively subverting policies in order to get their work done more quickly and efficiently. For example, a qualified employee deemed a sys-admin gains access to everything. The rules may say that only one person in the department can do the approvals, but often these qualified individuals end up allowing unauthorized employees to access their accounts to prevent themselves from becoming a bottleneck.

Your network may have all of its security software patched, virtual machines in place, and the virtual desktop infrastructure (VDI) to prevent attacks, but there are individuals both inside and outside any organization pushing new threats and new vectors. This leaves organizations reacting to these attacks after the fact. By reactively putting more restrictions in place, they slow down government work even further.

The solutions for smarter security need to be less linear as threats become more complex. Security isn't a binary concept of "horse in barn" or "horse bolted." Edward Snowden was technically accessing information within his allowed parameters, but what was unusual about his actions was that he was able to download this information. Government departments contain data that would be highly valuable for other governments, corporations, and criminals. Government security policies, however, have barely accepted the Internet and email as viable communication mechanisms -- a view that needs to shift quickly as cloud services, SaaS, and the need for more efficient government become ever more pressing drivers of change.

Consider this example: If someone approves an invoice that is out of his or her role because it gets the job done more quickly, what does this mean? It isn't necessarily fraudulent behavior, but it could be. An organization will first want this behavior stopped, and then will want a manager notified to be able to make a sensible decision on what should be done. Or what if

Steve Jones is Capgemini's Group Strategy Director for Big Data and Analytics. He is the author of Enterprise SOA Adoption strategies and the creator of the Business Data Lake reference architecture, the first unified approach to big and fast data analytics. He has worked ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
8/12/2014 | 7:45:45 PM
Effective way to steal data
The most effective way to steal data is to have access to the hardware (hard drives and backup tapes).  When it comes time to retire and dispose of old PCs and servers, equipment is usually moved from a secure area to a warehouse, storage area or unused office and ending up at a recycling facility. 

Securing data requires securing access to digital data.  Have your hard drives and backup tapes shredded before they leave the secure area.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.