Stopping the Edward Snowden in your Organisation

In the eyes of some, NSA whistleblower Edward Snowden is a hero who leaked information about top secret state-sponsored surveillance operations to journalists, stoking a global debate on privacy. But from the point of view of his employer, he hardly turned out to be a model staff member.

3 February 2014


In the eyes of some, NSA whistleblower Edward Snowden is a hero who leaked information about top secret state-sponsored surveillance operations to journalists, stoking a global debate on privacy. But from the point of view of his employer, he hardly turned out to be a model staff member.

Snowden was subcontracted by the tech consulting firm Booz Allen Hamilton to work at an NSA office when he started making copies of top secret documents and began building a mammoth dossier of evidence of the United States' surveillance operations at home and overseas. In all, Snowden is thought to have extracted about 1.7 million documents without authorization, and the headlines continue to dominate the media and news broadcasts to this day.

At the heart of this story is the NSA, the National Security Agency - the intelligence organization tasked not only with gathering foreign intelligence, but also responsible with protecting US government information systems.

The fact that the NSA failed to properly protect their "crown jewels", the confidential files at the heart of their operation, because of its lax security is both damning and deeply humiliating.

After all, if the NSA can't keep their own secrets out of the public eye - what does that say of their ability to properly secure data and sensitive information they might be collecting on me, you, companies or a potential terrorist?

And it didn't take a foreign power to steal the information, or a crack team of cybercriminals. All it required was one young, disaffected tech-savvy external contractor.

The challenge is, of course, that the NSA needs to sometimes share sensitive information - either with its own staff, expert contractors, or international law-enforcement agencies with whom they are co-operating. And, similarly, your company probably may need to share sensitive data  between employees, external partners, contractors, lawyers and so forth.

If  security professionals clamp down on collaboration too much, no work can be done and companies suffer as a result. No one wants decent security to get in the way of your firm'sability to do business. But more than that, if security measures get in the way of workers’ ability to do their jobs, they may adopt consumer file-sharing services to make their work-life easier, but potentially put security at risk. So, a balance needs to be found.

How Should Enterprises Manage Sensitive Information?

My recommendation for enterprises is to reduce the threat of a data breach, by more tightly controlling both access to and the movement of sensitive information ”without” getting in the way of the legitimate work that needs to be done.

What do I mean by that?

Well, first of all, yes security professionals ”do” need to ensure that the basics are in place - anti-virus software, firewalls, access control and up-to-date security patches. And companies should properly configure their networks to limit the authority of sysadmins (especially if they are contracted-in external staff), and what they can access without approval from on-high.

But companies should also control the IT vulnerability surface. Endlessly adding technologies that often overlap creates complexities which are impossible to manage.   Technologies can be put in place to scan files as a user tries to copy them over to portable hard disks or USB devices, or attempts to send them to a webmail account.  These measures can be usedto determine if the behaviour is authorized or if the information is sensitive - flagging an alert to the IT department and optionally blocking the behaviour.  It is much easier to disallow older technologies (such as copying to a CD or USB drive) and put an enterprise file sharing solution in place where all control features are built-in, as opposed to the bolted-on scanners and rules engines described previously.

That particular solution to prevent misuse of data isn't going to work so well, however, when sensitive information is shared with other firms that run their own networks which aren't under your control. That is why more organisations are exploring enterprise file-sharing solutions that don't get in the way of collaboration, but can mitigate security risks as data is travels outside the company’s network.

Such solutions allow companies to control who (inside and outside the organizations) can access sensitive information and whether it can be saved or printed. In some cases, they can even prevent the user from taking illicit screen captures of the information. And, crucially, the best solutions give you the ability to "unshare" previously shared information, preventing it from being accessible after a project is completed or if it is no longer required.

The beauty of such an approach is that companies are able to track everything that happens with the data, logging who accesses what information and when, and controlling how the content is exchanged and worked upon.

At the end of the day, if you are working with someone like Edward Snowden who is determined to blow the whistle on your secrets, there's not much companies can do to stop them from talking. But companies can make it much less likely that employees will have a USB drive full of sensitive information in their back pocket which they're waiting to pass to the newspapers or sell on to competitors.


Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.