It has been more than three years now since Edward Snowden revealed and leaked sensitive and classified information to several journalists about a secret, and massive, government surveillance program. Currently in asylum within Russia, Snowden has been charged with theft of government property, unauthorized communication of national defense information and willful communication of classified intelligence to an unauthorized person.
This story is a classic reminder of how impactful and powerful a trusted insider can become by elevating privileges and leaking sensitive data undetected. This act has been a major controversy for years and it has been debated whether or not Snowden is a hero, a whistleblower, a patriot or a traitor.
For many years, it has been assumed by hackers that governments have been performing massive surveillance. However, this was never confirmed until Snowden revealed sensitive documents that provided the truth of its existence and started major debates over government surveillance, encryption, national security and privacy.
It has also been a topic of recent debates with the recent case between the FBI and Apple in relation to unlocking an iPhone. Let us not forget the revelations and disclosure of the NSA hacking tools that are now available online to almost every hacker and cyber-criminal. These can be used maliciously against those that they had been used for national security purposes or intelligence gathering on other nation states.
Thycotic’s most recent Black Hat Conference survey of hackers found overwhelming support for data privacy among respondents. Nevertheless, in a seeming contradiction of their own beliefs, half of those polled said that they would be willing to hack your password for a fee if asked by the FBI. This in the context of a recent controversy when the FBI hired a third-party to help crack the password for the iPhone of a shooting suspect after Apple refused to help on grounds of protecting privacy.
In the same survey, nearly one-third of hackers believe that the government decrypting our data will cause more harm than good. 40 percent believe if the FBI can do it (as they did in the Apple iPhone case), anyone can get access. In addition, 42 percent of hackers surveyed believe that the government has been hacking and spying on our personal data for years. However, only now is this practice getting noticed. The result is that 77 percent don’t believe any password is safe from hackers.
The method in which Edward Snowden was able to perform his malicious insider actions should be a major reminder for all organizations and governments globally which should raise the question: What can trusted insiders do with privileged credentials and accounts?
While the exact method has never been revealed, it is broadly believed that Snowden was able to create a privileged account and then fabricate Secure Shell (SSH) keys. These keys were then used to latterly move to unauthorized systems containing sensitive data and ultimately use encryption to extract the data. Moving forward, I believe that we need to remove these security risks by minimizing administrator privileges consistent permissions and achieve dynamic privilege elevation and least privilege to be default. This clearly is one of the most significant failures for many organizations and governments around the world.
The most important thing that any business can do is to identity what privileged accounts mean to their company. Start by asking yourself the following questions:
- What is a privileged account?
- Where are privileged accounts located?
- Who has access to privileged accounts?
- Do you have contractors accessing privileged accounts?
- When are privileged accounts used?
- What is the risk of privileged accounts being used by an external attacker?
- What is the risk of privileged accounts being used by an insider?
- Do you have a IT Security Policy covering privileged accounts in place?
- Are government and industry regulations applicable?
- Are you actively reporting on privileged account use and exposure?
Whether or not Edward Snowden should be remembered as a patriot or traitor is up for debate in the court of public opinion. Obviously, this is a topic that will continue to be debated and we haven’t seen the end of it.
Nevertheless, the major reminder is to reduce the risk of both external attackers and trusted insiders by providing adequate security that applies Least Privilege Strategy, removes administrator privileges and limits overall administrator access to systems.