Re: Stopping insider threat - Perimeter Security
I love the post about the three year old grand-daughter and perimeter security. But the thing that she did not have access to was to classified material, the material did not affect the lives of hundreds of millions of people where their rights were being violated (3, 4, 5 amendments). So if the question was posed to her after numerous human and privacy rights were violated, would she give the same response as Snowden (Prism), Thomas Drake (TrailBlazer), William "Bill" Binney (ThinThread) and now Pegasus (FBI used to access Apple Phones). I am not sure how I would compare giving badges back to something that affects people all over the world, but to your point, go figure.
But anyway, to the point made by San Francisco, (Ret.) Admiral Michael Rogers:
▲Who has access to what data; what [access do they] need?...What works for one doesn't necessarily work for the other."
→ I agree with this statement wholeheartedly, I do think that information for one group does not necessarily work for the other, but if we were to look at the Snowden situation, who says it would not have come from military personnel (Thomas Drake - Airforce and Navy Veteran- was a member of the military who was found guilty of the Esponiage act but was later exonerated of all charges). This person brought information to his chain of command and was told to ignore it (to violate privacy rights and continue to overstep the bounds of government authority). Thomas Drake was a hero to the military and to people around the world but he was arrested and treated like a second-class citizen, go figure.
▲ The key is to understand user behavior on and off your network that could signal potential for stress or risk, he explained. Stressed users can become security risks.
→ So we go around validating a person's stress levels at work where they are already under stress, I am not sure how that will help because in an organization like this, when you walk in the door, you feel a level of stress due to the high-level of responsibility and the nature of work expected from this organization. Will people have to wear health braclets to detemine if their stress level is high or will a form of AI come into play to monitor human vital signs, not sure but we will take that under advisement?
▲ "Or like in our case [at NSA], it was the responsibility to make sure it didn't fall into the wrong hands," he said. "That control was also central. Not everybody in NSA had access to all the data; we had control for only those who needed it."
→ Interesting, so how did Edward Snowden gain access to classified material where he plugged in a thumbdrive to a classified system in Hawaii and extracted documents from various sources that talked about how data would be processed from Points of Presence and ISPs across the globe? Also, if I am not mistaken, wasn't the general on watch when Shadow Brokers accessed their internal network (NSA) and was able to publish on a website the tools the NSA used to access systems ranging from Windows, Linux, Routers, etc. It is interesting that someone tries to give advice on securing an environment where they themselves have been hacked and their information has been monitized for attacks against the US, I am not sure if this person should be providing any advice.
▲ Users will make mistakes, Rogers said. The key is to incentivize them to avoid security missteps. "It's not about hammering them [for their missteps], but 'it's we work as a team to maximize security and efficiency ... and we respect you as an individual'" that also plays a key role in protecting the organization's valuable information, Rogers explained.
→ I do agree with this statement, that we should be working together as a team but the problem that is paramount in business or governmental environments stems from most people are not willing to listen (just go with the flow). The General made a great point but the people around him may not feel the same way (it could be due to their training or just unwillingness to work with others, some instances it stems from doing things things from an authoritarian standpoint (Remember Thomas Drake went to his superior and stated that this practice was just wrong (4th Amendment - Surveilance responsibility), they walked him out and tried to prosecute him. William "Bill" Binney went to his higher ups and stated that he did not feel comfortable with releasing the internal application locks that in were in place to protect American citizens from being spyed on (ThinThread), they came to his house and address him at gunpoint in his shower).
▲ This gives users a stake in the security of the organization and its data. "I also believe in having a really frank discussion. There is a level of responsibility here – we acknowledge that. That responsibility can vary, but fundamentally if we're giving [the user] access ... there's a responsibility to ensure [its security]," Rogers said. "It's like a contract."
→ Interesting, a contract is based on three things -> Terms/Conditions, Money/Value, Parties. Ok, from a TC (Terms and Conditions) point, there needs to be language to protect the American people and not violate their rights as citizens. There needs to be language stating that if this information is brought to your attention, there will be open conversation and dialogue instead of being made to agree while looking down the barrel of a gun. Money - if the person is working, if they are getting a reasonable rate, then that would be considered the value side relating to the contract (the higher the clearance, the higher the rate, based on responsibility). Parties - Either party should be able to discuss the concerns without being criticized or fired or removed from their post (place of employment), but in most instances that I described, they did this very thing and were punished for their actions to people who served their country (malicious use of power).
I do agree that we should take responsibility to secure environments and protect vital government data, but lets not loose sight of the big picture, these individuals were shunned/punished because they wanted to protect the rights of American citizens. They should be looked at as heros, we need to review the controls that we have in place so that this treatment is not realized ever again especially for people who felt that this overstepped the bounds of the US Constitution.
T
Special Report: Computing's New Normal, a Dark Reading PerspectiveThis special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Tweet This
17 Comments
User Rank: Ninja
4/12/2019 | 9:11:11 AM
T