It's time for government agencies to move beyond draconian security rules and adopt anomaly analytics.
Governments are cautious. They love security rules and access management and generally lean towards saying "no" to most things. Some of that is certainly required, but Edward Snowden and other security breaches have shown that rules aren't actually very effective when dealing with social engineering attacks.
Edward Snowden, as an IT systems administrator employed by the National Security Agency, was allowed access to classified information as part of his job. His role and credentials meant that he was able to compromise sensitive NSA data, easily circumventing its advanced security systems, software, and policies without raising any eyebrows -- until it was too late.
As a graduate student, I worked in the defense sector. As a part of our training, my team was asked to experiment with some social engineering around people's passwords to see what would be revealed. We grabbed clipboards and ventured out into our organization to time how long it took employees to enter passwords. Looking over people's shoulders, we would start the stopwatch, mark down their username, and see if we could successfully figure out their passwords as they typed.
If we couldn't figure out the password, we'd remark to these individuals how he or she had been particularly fast or slow with their password input and then ask them what their password was. A remarkable percentage of employees (more than 50%) gave us their passwords without ever questioning our motives.
What is the lesson here? This experiment revealed to us that social engineering remains one of the most effective ways to steal data, and that an internal threat (however small) is still a major threat vector for data loss. You can add as many access control, verification, and other secure technologies as you wish, but they will be rendered completely ineffective if someone either sets out to steal information or is successfully conned into giving up their credentials.
Within government departments, the overwhelming role of security teams appears to be the hackneyed "Just Say No" message trotted out by the anti-drug campaigns of the 80s. This has led to employees actively subverting policies in order to get their work done more quickly and efficiently. For example, a qualified employee deemed a sys-admin gains access to everything. The rules may say that only one person in the department can do the approvals, but often these qualified individuals end up allowing unauthorized employees to access their accounts to prevent themselves from becoming a bottleneck.
Your network may have all of its security software patched, virtual machines in place, and the virtual desktop infrastructure (VDI) to prevent attacks, but there are individuals both inside and outside any organization pushing new threats and new vectors. This leaves organizations reacting to these attacks after the fact. By reactively putting more restrictions in place, they slow down government work even further.
The solutions for smarter security need to be less linear as threats become more complex. Security isn't a binary concept of "horse in barn" or "horse bolted." Edward Snowden was technically accessing information within his allowed parameters, but what was unusual about his actions was that he was able to download this information. Government departments contain data that would be highly valuable for other governments, corporations, and criminals. Government security policies, however, have barely accepted the Internet and email as viable communication mechanisms -- a view that needs to shift quickly as cloud services, SaaS, and the need for more efficient government become ever more pressing drivers of change.
Consider this example: If someone approves an invoice that is out of his or her role because it gets the job done more quickly, what does this mean? It isn't necessarily fraudulent behavior, but it could be. An organization will first want this behavior stopped, and then will want a manager notified to be able to make a sensible decision on what should be done. Or what if
Steve Jones is Capgemini's Group Strategy Director for Big Data and Analytics. He is the author of Enterprise SOA Adoption strategies and the creator of the Business Data Lake reference architecture, the first unified approach to big and fast data analytics. He has worked ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.