Mason Karrer

Snowed In By Internal Control Gaps?

Blog Post created by Mason Karrer Employee on Aug 19, 2013

When the Edward Snowden story first broke I remember how the crazy theories ran wild about his identity, his motivations, and (gasp!) whether we were safe. Heck they still don’t seem to know exactly what this guy took and what his endgame truly is. As the story has continued to unfold, one thing that became very interesting is not who he is, but WHAT he was. He wasn’t some agent gone rogue or a foreign super spy, he was a systems administrator! An IT contractor for crying out loud! So as congress continues “demanding answers on behalf of the American people,” cynical folks like me regard the whole thing as a charade. When millions of people have top secret clearances, how it not happening all the time?

 

I don’t need some fancy forensics team and congressional hearings to know the IT group holds the keys to the kingdom. Anybody who’s ever worked any kind of basic IT job knows that already. Those of us who rose the ranks through security and audit understand very well just how pervasive access control gaps are on public and private sector networks alike. So while the general public is shocked and outraged, the only thing that surprises me is that it hasn’t happened sooner or more often for that matter. Wait a minute...it HAS happened before. And it happens more often than you think. The difference is we rarely hear that much about it.

 

Some people are calling for Snowden’s head on a pike while others label him a whistleblowing hero. Straw men abound and as the media debate rages on around the latest news story about thousands of NSA privacy violations, I’m left wondering how much of a sign this is of things to come. National security is one thing, but what about the people who have access to your company’s “top secret” info?

 

Remember it’s not like Snowden was an underpaid government drone turned espionage actor, lurking in the shadows to supplement his retirement by selling secrets. On the contrary, from the sounds of it he had a pretty sweet private sector gig. So what’s it take for an IT guy with a great job and a girlfriend in Hawaii to walk away from it all, publicly turn his life upside down, and become the most wanted guy on the planet? He says it was a belief to do the right thing in exposing his employer’s egregious violation of your civil liberties. Is that really true? Could he really be that sincere? What kind of person actually does that? Well, for starters an ideologue does. So maybe it's not such a stretch after all. Doesn't mean he's right, or sane for that matter. But if I’m the CEO of a company with serious trade secrets or a checkered past (or both), maybe I’m starting to wonder what could happen if one of my employees drew inspiration from Snowden and decided to go rogue.

 

The global economic conditions over the last few years have boosted anti-corporate activism. This combined with porous security, flash drives the size of a gnat, and anonymous access to a nearly instantaneous global news cycle, and it’s not hard to conclude that whether for profit or popularity, a motivated insider poses a greater operational risk than ever before. If the President of the United States can’t touch an IT guy then what’s an average CEO really going to do to an employee who blows the whistle? Prosecute them? Sue for damages? Pursuing criminal charges could quickly backfire and land the CEO in the clink if the employee was shining a light on criminal fraud. On the civil side any punitive awards would pale in comparison to the cost of pursuit, the PR fallout, and repairs to the brand, presuming the company actually wanted to expose anything else internally in open court anyway. So even to serve as a deterrent, any decision to initiate a lawsuit would require a serious corporate gut check as a pre-requisite. When a subset of the population is guaranteed to rally behind the employee (little guy) regardless, at the end of the day what’s winning really look like suing somebody you just fired?

 

The other sad, simple reality when you boil it all down to essentials is that the security issues at play are still largely the 101 stuff. Maybe it's time to play offense for a change. Technology always advances; budgets grow and shrink; but at the end of the day it’s always back to basics. It’s the same reason coaches preach fundamentals time and time again even at the professional level. Information classification, least-privilege, role-based access control, segregation of duties, policy, and culture…these basics will make or break the security posture in any organization. “Making it” hinges almost entirely on commitment and execution.

 

Information Classification (“Know what you have and what should be protected”) – One of the most boring, tedious tasks to undertake. Executives will magically be on retreats anytime you try to initiate it. Legal departments hate dealing with it. Nobody wants to “restrict” people in today’s politically correct culture and everybody is scared they’re forgetting something. But the fact is if you can’t name it you can’t protect it and there has never been a valid reason that everybody should be privy to everything. So for goodness sake stop dancing around the issue and lock things down already.

 

Least-Privilege Access (“If you don’t need it, you don’t get it” part 1) – Bedrock fundamental. In the public sector terms like “clearance” and “need to know” are used. Guess what? The same authentication and authorization rules apply in the private sector too. And yes they also apply to the IT staff. Encryption can help here tremendously but only if you know what needs to be encrypted.

 

Role-based Access Control (“If you don’t need it, you don’t get it” part 2) – If the principle of least-privilege defines the rules, the role-based access control model enforces them. Certain staff members require elevated privileges. It’s a fact. Own it. “HOW” they get and keep those privileges makes all the difference. Yes “Everyone – Full Control” on the corporate <fill in the blank important file share> is easier to manage but it’s also insane. Neither good basic access control practices nor even the more advanced multi-factor IPSec and encryption setups require a PhD to implement. With a little know-how, some elbow grease and the right technology products and guidance it’s actually pretty reasonable. So roll up your sleeves, get your people with people who know what they’re doing, and insist the job’s done right. Your efforts will be rewarded.

 

Segregation of Duties (“You do your job and I’ll do mine”) – One of two things typically happens when jobs get cut. Either less work gets done (productivity suffers) or the remaining people pick up the slack and security can often suffer either way. Pretty soon the same accountant is preparing and posting journal entries, or the same procurement person is setting up vendors and paying them. You get the idea. Permit the lines to blur too much and the risk of fraud and other exposures skyrockets.

 

Sometimes cutbacks are required. It’s often easier to believe the executives are heartless but in my experience it’s one of the most dreadful things they every have to contend with. Almost without exception though, the company emerges healthier as a result. So it’s a necessary evil. That said Mr./Ms/Mrs. CEO, it’s grossly irresponsible not to ensure that continuity of the control environment is baked into your plan. You don’t get a free pass on security gaps just because you had to make some tough calls in between vacations. Suck it up and do the right thing. And if your control environment stunk before your cutbacks then I’m definitely selling your stock now.

 

Policy and Culture (“Lead by example and make sure it’s a good one”) – The difference between leadership and merely being in charge is often all about the tone you set. Every CEO will say they insist on quality and excellence. But truly great leaders walk the walk and earn the respect of their people as a result. Even if they’re not always enjoyable to be around or work for at times, chances are you’d still rather be in the camp of a leader who leads by example. Because you know, even though they may delegate most of the heavy lifting, if push comes to shove they’ll grab a shovel and dig in alongside you if that’s what it takes for the group to succeed. To me that’s what policy and culture are really all about. Policy reinforces that tone set at the top and the culture of the organization flows both from and back into it. If the tone is flaky and insincere the policies will be useless and the culture will be listless and indifferent.

 

On the flipside, it’s simply impossible to have too much integrity. So set good examples for your people. Challenge them for the same. While mistakes cannot be overlooked, try first to embrace them as teachable moments before jumping to negative consequences. And reward your people handsomely when they succeed. Accept that rules are needed so insist on having good ones and insist they’re clearly understood and followed by all. With strong leadership, good morale, and a solid security posture blended into the background, the positive momentum shift is measurable. In a proactive environment like that people want to do the right thing on their own because they’re inspired. And the risks of the next “Snowden-gate” landing at that company’s doorstep are substantially reduced.

 

Need help getting started? Stuck on a problem? We’re here to help. We understand this stuff as well as anybody and our cutting edge products are literally redefining security, risk management, and compliance.

Outcomes