How Did Snowden Do It? by Kelly Jackson Higgins.
From the post:
The full story of just how the now-infamous systems administrator Edward Snowden was able to grab highly classified documents from the world’s most secretive spy agency and expose its controversial spying practices may never be public, but some clues have emerged that provide a clearer picture of how the most epic insider leak in history may have transpired.
Snowden, the former Booz Allen contractor working as a low-level systems admin for the NSA at its Hawaii post, reportedly coerced several of his colleagues to provide him with their credentials, according to a report by Reuters late last week. He may have convinced up to 25 staffers at the NSA regional operations center there to hand over their usernames and passwords under the pretext that he needed them for his job, according to the report.
Did you notice the shifting description of Snowden’s actions in the second paragraph?
At first Snowden “coerced several of his colleagues.” Then Snowden “convinced up to 25 staffers.” If you jump to the Reuters story, Snowden “persuaded other NSA workers to give up passwords….”
Persuasion is a long way from coercion, at least as I understand those terms.
Unfortunately, Congress is considering a variety of technical fixes to what is ultimately a user problem.
The user problem? Sharing of admin logins and passwords.
Sharing among privileged and admin account holders is fairly commonplace. More than half of organizations surveyed earlier this year by CyberArk said their “approved” users share their admin and privileged account passwords.
Snowden’s social-engineering of his colleagues to get their credentials played off of an environment of trust. “Employees want to please their co-workers, so if he said, ‘hey, I need your help because I’ve gotta get something done’ … there a trust that can be taken advantage of,” says John Worrall, chief marketing officer at CyberArk.
“What’s troubling is there are a couple of basic tenets of security that you never want to screw around with, [including] you never share your credentials,” Worrall says. “The whole access control model is based on identity and then the access model is useless and it blows up.”
None of the remedies being discussed/funded by Congress address that fundamental breakdown in security.
I’m sure it would be harder right now to obtain a login/password at the NSA but give it six (or fewer) months.
A better solution than the “throw money at our contractor friends” used by Congress is to have regular internal security testing.
Offer a bounty to staff who get other staff to share their login/password.
What happens to those who share logins/passwords should depend on their level of access and potential for harm.