Snowden: A “Trust but Verify” Story Gone Wrong

Snowden Movie Night

Oliver Stone has brought “Snowden” to the big screen.

Blimey. I’d finally stopped culling my social networks to the bone, put Mr. Robot hoodies in a box in the garage and stopped checking behind the shower curtain before getting in.

Oh well. With hindsight and better insight, let’s reflect on some steps the government could take to mitigate this kind of situation happening again. In this blog, though, for a change, I’m going to start with the human angle instead of diving headlong into the technology. I want to highlight first the “people” in “people, process and technology.”

Technical security controls will not prevent a motivated individual from going “to the dark side.” They may be mentally predisposed to that type of behavior or heavily influenced by an environmental factor (e.g., coercion, blackmail, poverty). This is why agencies tend to follow the same clearance model of background checks (e.g., did you steal things as a teen or do you have a lot of debt) and “spychological” tests to try and spot potentially divergent behavioral tendencies.

But, behavior can be influenced. Deterrents are awesome. They can sway a person’s resolve, avoiding a compromising situation. They can make a person hesitate and reassess, missing their ideal window of opportunity. They can cause someone to veer off the ideal attack vector to another that’s less ideal, creating more time and opportunity for oversight, scrutiny and discovery.

So let’s not undersell the value of deterrents. Of course, technology plays a role in this story as we shall see.

Too Much Privilege, Too Much Temptation

No matter how much you trust your 10-year-old, you would not give her the keys to the car. In Snowden’s case, there was top secret clearance and then there was top secret + “system administrator.” Trust + uber-trust. The former gave access to some, but not all, classified information. Snowden was a system administrator and so could access ANY server, run ANY application and look at ANY file.

His role and privileges were so high that his activities were, for the most part, unaudited. Because he worked remotely (5,000 miles away in Honolulu), his activities were not physically monitored either.

In any chain of trust, someone audits you, someone else audits your auditor and so on. What happens at the top of the chain? At Snowden’s level of trust, the assumption was that you police yourself. Basically, there were few, if any, checks and balances. Therein lies the problem. Trust should not be absolute. Trust but verify. The “verify” bit was absent.

So it’s ironic that one of his tasks was migrating very sensitive data to a more secure environment! What a recipe for temptation — unbridled access, lack of oversight, plus his disillusionment on many levels.

How Modern Technology Can Help Deter

A few years ago I bought two fake video surveillance cameras with realistic blinking red LEDs and a fake alarm for my house. My goal was to deter opportunistic thieves and vandals. Quick, inexpensive and zero maintenance. Those more determined, of course, would skirt the “defenses” and try to find an alternative way in at the risk of losing that quick “in-and-out” opportunity.

In Snowden’s world, implementing session recording at a proxy or host level and also notifying him that he’s being recorded would have a similar deterrent effect. As would advising him that people in a security oversight or audit capacity can selectively monitor live login sessions in real-time (without the observed being aware). The overseers do not actually need to monitor all the time. The potential of being observed is all that’s required (although clearly not a best-practice).

Compound such deterrents with better access controls and you now have a really strong combination. The most obvious control is role-based access control. Realistically, NOBODY needs to access every server, run every application or access every file in the network. So, roles are assigned to limit what you can do. If your job really doesn’t require you to telnet to server X or edit the sudoers file, then you’re blocked from doing so.

This model ties nicely with a related concept — “least privilege,” something you’ll find that is now a core security control in many regulations and guidelines such as NSA’s Methodology for Adversary Obstruction, PCI-DSS, NIST 800-53, SANS Institute CIS Critical Security Controls. In this model, Snowden doesn’t log in as “administrator” or “root;” instead he logs in as himself with a unique ID that’s fully audited and ties back to him. Audit logs would show something like “ed.snowden@blah.gov” instead of “root@blah.gov” for full accountability.

It enables him to do routine stuff like checking e-mail and running a word processor app. However, when he needs to access a sensitive file or run a sensitive application, he can only do so if he has a role assigned that will permit temporary elevation of his privileges. Once done, he’s back down to least privilege.

With this in place, agencies could then wrap a request/approval mechanism around selective privileged activities, such as when Snowden requests checkout of a “dash-a” account password or an automatic remote login to a sensitive machine. From the list of active sessions in her portal dashboard, the approver would have the option of monitoring Snowden’s session in real-time. This introduction of a second person to approve the request is yet another layer of deterrent with the psychological effect of Snowden knowing that his activities are more visible and a potential subject of closer scrutiny.

DR;TL

So, in hindsight, an effective risk mitigation approach blending both “people” (the human element) and “technology” could have changed the Snowden outcome dramatically (maybe to the chagrin of Mr. Stone looking for his next JFK):

  • Technology: enforcing the use of roles + privilege elevation to limit scope
  • People: deterrents — advertising that sessions are being audited and recorded + sensitive actions require explicit human approval and can be monitored in real-time

To learn more about Centrify’s Privileged Access Security solutions, check here.