In the May issue of the Communications of the ACM, Bob Toxen does a thorough examination of the operational security failures of the NSA in the Snowden leak. Snowden, as an administrator did have privileged access to many systems, but the scale of the leak, and the access control failures that allowed for the leak points to wide scale operational security failures.
I do not agree with Bob Toxen on the ease of detecting smuggled USB sticks (in or out of the organisation) - modern USB drives are far easier to smuggle in, and it is even easier to smuggle in SD cards and the like. I do agree with his assessments on the scale of logical access control failures: administrators in any large organisation should certainly not have access to all systems; and users with higher classification accounts should require multi-factor authentication to access highly sensitive information. These are not new dangles processes or controls, and in fact the NSA helped write some of the key theory and practical guides in this area.
The learnings of the NSA's failures extends to most organisations. Unfortunately, unlike the NSA, most organisations do not have effectively unlimited funds at their disposal.
No comments:
Post a Comment