Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Ex-NSA Director Rogers: Insider Threat Prevention a 'Contract'
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/12/2019 | 9:11:11 AM
Re: Learn from mistakes
Learn from your mistakes. I agree with that, but this has happened numerous times across the board at different time frames so it is not that they need to learn, the question we need to ask, when something of significance is built and brought to the attention of executive management, why do they allow the same thing to happen over and over again (malicious misuse of power). Congress knew about the building of these devices/solutions and they (Congress) asked the management staff to remove the controls (allow the system to monitor US citizens). I am not sure how they are learning if they keep doing the same thing over and over again but at this point it will continue to happen no matter who is in office.


User Rank: Moderator
4/12/2019 | 12:50:42 AM
Learn from mistakes
We all learn from past mistakes and in this scenario, the affected large organisations have to do just that. If that major data leak did not happen, they would have no clue that such a critical internal breach could even occur in the first place. Buck up and hope for a brighter future!
User Rank: Ninja
3/28/2019 | 1:11:13 PM
Re: Stopping insider threat - Perimeter Security
I love the post about the three year old grand-daughter and perimeter security. But the thing that she did not have access to was to classified material, the material did not affect the lives of hundreds of millions of people where their rights were being violated (3, 4, 5 amendments). So if the question was posed to her after numerous human and privacy rights were violated, would she give the same response as Snowden (Prism), Thomas Drake (TrailBlazer), William "Bill" Binney (ThinThread) and now Pegasus (FBI used to access Apple Phones). I am not sure how I would compare giving badges back to something that affects people all over the world, but to your point, go figure.

But anyway, to the point made by San Francisco, (Ret.) Admiral Michael Rogers:

▲Who has access to what data; what [access do they] need?...What works for one doesn't necessarily work for the other."

→ I agree with this statement wholeheartedly, I do think that information for one group does not necessarily work for the other, but if we were to look at the Snowden situation, who says it would not have come from military personnel (Thomas Drake - Airforce and Navy Veteran- was a member of the military who was found guilty of the Esponiage act but was later exonerated of all charges). This person brought information to his chain of command and was told to ignore it (to violate privacy rights and continue to overstep the bounds of government authority). Thomas Drake was a hero to the military and to people around the world but he was arrested and treated like a second-class citizen, go figure.

▲ The key is to understand user behavior on and off your network that could signal potential for stress or risk, he explained. Stressed users can become security risks.

→ So we go around validating a person's stress levels at work where they are already under stress, I am not sure how that will help because in an organization like this, when you walk in the door, you feel a level of stress due to the high-level of responsibility and the nature of work expected from this organization. Will people have to wear health braclets to detemine if their stress level is high or will a form of AI come into play to monitor human vital signs, not sure but we will take that under advisement?

▲ "Or like in our case [at NSA], it was the responsibility to make sure it didn't fall into the wrong hands," he said. "That control was also central. Not everybody in NSA had access to all the data; we had control for only those who needed it."

→ Interesting, so how did Edward Snowden gain access to classified material where he plugged in a thumbdrive to a classified system in Hawaii and extracted documents from various sources that talked about how data would be processed from Points of Presence and ISPs across the globe? Also, if I am not mistaken, wasn't the general on watch when Shadow Brokers accessed their internal network (NSA) and was able to publish on a website the tools the NSA used to access systems ranging from Windows, Linux, Routers, etc. It is interesting that someone tries to give advice on securing an environment where they themselves have been hacked and their information has been monitized for attacks against the US, I am not sure if this person should be providing any advice.

▲ Users will make mistakes, Rogers said. The key is to incentivize them to avoid security missteps. "It's not about hammering them [for their missteps], but 'it's we work as a team to maximize security and efficiency ... and we respect you as an individual'" that also plays a key role in protecting the organization's valuable information, Rogers explained.

→ I do agree with this statement, that we should be working together as a team but the problem that is paramount in business or governmental environments stems from most people are not willing to listen (just go with the flow). The General made a great point but the people around him may not feel the same way (it could be due to their training or just unwillingness to work with others, some instances it stems from doing things things from an authoritarian standpoint (Remember Thomas Drake went to his superior and stated that this practice was just wrong (4th Amendment - Surveilance responsibility), they walked him out and tried to prosecute him. William "Bill" Binney went to his higher ups and stated that he did not feel comfortable with releasing the internal application locks that in were in place to protect American citizens from being spyed on (ThinThread), they came to his house and address him at gunpoint in his shower).

▲ This gives users a stake in the security of the organization and its data. "I also believe in having a really frank discussion. There is a level of responsibility here – we acknowledge that. That responsibility can vary, but fundamentally if we're giving [the user] access ... there's a responsibility to ensure [its security]," Rogers said. "It's like a contract."

→ Interesting, a contract is based on three things -> Terms/Conditions, Money/Value, Parties. Ok, from a TC (Terms and Conditions) point, there needs to be language to protect the American people and not violate their rights as citizens. There needs to be language stating that if this information is brought to your attention, there will be open conversation and dialogue instead of being made to agree while looking down the barrel of a gun. Money - if the person is working, if they are getting a reasonable rate, then that would be considered the value side relating to the contract (the higher the clearance, the higher the rate, based on responsibility). Parties - Either party should be able to discuss the concerns without being criticized or fired or removed from their post (place of employment), but in most instances that I described, they did this very thing and were punished for their actions to people who served their country (malicious use of power).

I do agree that we should take responsibility to secure environments and protect vital government data, but lets not loose sight of the big picture, these individuals were shunned/punished because they wanted to protect the rights of American citizens. They should be looked at as heros, we need to review the controls that we have in place so that this treatment is not realized ever again especially for people who felt that this overstepped the bounds of the US Constitution.




User Rank: Ninja
3/26/2019 | 1:41:19 PM
Re: Stopping insider threat - Perimeter Security
Some time ago, my then 3 year old grand-daughter, Cariana, came to visit work with her mother and my wife.  She loved Pizza in the cafeteria and said hello to my colleagues.  Of course all three had visitor badges and when leaving, this little person took all three badges and said ' They have to be returned." !!!!!   She walked to the security desk and handed them in.  She was almost adopted on the spot.  Lesson: Even this 3 year old got the concept of perimeter security BETTER than some employees do.   Go Figure.

Update: true she did not have access to corporate data and computer skills, while good, are lacking at age 3.  I would give her 5 or 6 before she becomes a true hacker. LOL.  The main thing is that she GOT a security concept that was basic and true. 
User Rank: Author
3/26/2019 | 10:52:12 AM
Stopping insider threat
Good stuff!

A smart CISO I worked with once had set tripwires on sensitive data (at a cellular operator this is an obvious class of data) and would pick up the phone and call any user touching data they were not supposed to touch as close as possible to real time to ask them whether they really meant to do that. 

It was usually enough to ensure that the specific user (and everybody who knew them) did not ever touch sensitive data again. It may not have deterred criminals that were already determined to steal data, but most insider threats develop over time and are a combination of the level of temptation the data poses combined with the ease of getting it.

Plugging obvious holes - technical and behavioral - helps keep borderline honest people honest. 


Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
3/26/2019 | 10:23:30 AM
Re: All too true
Adm. Rogers had some interesting insight into this topic, for sure. 
User Rank: Ninja
3/26/2019 | 10:14:08 AM
All too true
Excellent article in every respect and the Admiral hits every point succinct and sound.  Access to ONLY data users need to do their job is key security rule number 1 ..... but many times it is bypassed for just EVERYTHING and that is that.   Users want to be educated but often are not.  Central controls are fine but indiv entry points through users is also key.  I also remember when epoxy would have worked great on secure computers to prevent insertion of a USB key.  Just SEAL IT UP.  Done, closed - now worry about something else.   TSA searches work sometimes too for very very secure systems.    Spot on article. 

FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...