by Security Specialist Paul Kenyon of Avecto
Last Fall must have been a time for wound licking in the West Wing of the White House, particularly as it considered the fallout from the WikiLeaks Affair and the vast number of U.S. diplomats who were being embarrassed on a weekly basis by the publication of embarrassing or just plain stupid “private” communications.
It was time for an executive order which directed all US government agency heads who have to deal with classified information to designate an ex-pat senior official to oversee their organizations activities around the sharing and protecting of their sensitive information. These guardians of security have also been tasked with implementing a program to detect insider threats once the task force as finally ground to a conclusion.
President Obama’s executive order was the result of a seven-month review by his administration in which the White House sought to find a proper balance between security and the need for agencies to share classified information.
Under the executive order, the government will coordinate information sharing and to ensure that agencies that use classified computer networks protect information. Each agency will have a senior official oversee classified information and be responsible for safety measures.
Several departments and agencies, including the Pentagon and the CIA, have already taken steps to control people’s ability to place classified data on disks or removable memory devices, as well as limiting the number of users with permission to use such devices.
Specifically, the order mandates Attorney General Eric Holder and the U.S. director of national intelligence, James Clapper, to establish an Insider Threat Task Force to find ways to deter and detect security breach.
Against the backdrop of existing government agencies, some critics have questioned the need for yet another agency to deal with security matters, but it is worth noting that it has been almost six years since the inception of WikiLeaks, yet the government has only just begun to identify methodologies to combat insider threats within the military.
The bottom line here is that the government needs to move swiftly if it is maintain credibility — especially in an election year.
Earlier in 2011, the White House revealed language on new legislation directing private industries to improve computer security voluntarily and have those standards reviewed by the Department of Homeland Security (DHS).
The government, all the way from federal to state, and down to city levels, clearly has plenty of work to do on preventing insider attacks. Our view is that it is about time the White House has caught up on ideas and technology that many corporate clients have known about for several years.
What enterprises already know
Establishing a least privilege environment is the first step to achieving an IT environment whereby everyone can still be productive, while at the same time remaining secure.
The White House, of course, may not be taking this route to better security for all the right reasons, as there is an argument to show that it is simply looking to avoid another WikiLeaks Cablegate by creating more agency oversight and security for data stored on classified networks.
It is worth noting that the executive order signed by President Obama creates a number of new inter-agency governing bodies that will work together to oversee the protection of classified information across federal agencies and departments, while at the same time balancing the needs of federal users that have permission to access it. The order also makes federal organizations responsible for the sharing and protection of their classified information, as well as mandating that they designate a senior official to oversee these tasks.
In addition, agencies and departments must willingly provide information for independent assessments of their compliance with security policy and standards, as well as implement an insider threat detection and prevention program, which is where the Insider Threat Task Force enters the frame.
In addition to the task force, the executive order also sets up a series of committees to ensure agency compliance with the security measures and to facilitate interagency coordination. The Senior Information Sharing and Safeguarding Steering Committee will have overall responsibility for the new policies and be held accountable for department and agency compliance.
Senior officials from the DOD and NSA will jointly act as a new Executive Agent for Safeguarding Classified Information on Computer Networks to develop technical policies and standards to protect classified information. The plan is for this executive agency to also be responsible for third-party assessments of agency compliance.
It’s also worth noting that, as officials were laying the groundwork for the new policies, the Insider Threat Task Force has been working informally since June of last year to clarify policies in several priority security areas. For example, a number of departments and agencies already have standardized policies for removable media, limiting the number of users who are permitted to use such devices.
To beef up their online identity management, administrators of classified systems have also enacted measures to strengthen online identity management policies and their ability to track information being accessed by these users.
Will this work?
So will the executive order stop sophisticated attacks, as exemplified by complex and targeted malware such as Stuxnet and Duqu? This is debatable, but the use of augmented security layers enterprises have been using for years such as privilege management can greatly assist in this regard.
Effective privilege management allows IT professionals to control who has access to specific applications running on the corporate IT platform, as well as the underlying data. This means, for example, that if the admin team only run their control and security software from within the network perimeter on known PCs, then access to those applications can be locked down to specific on-network and even on-workgroup computers.
Then, even if a set of admin account credentials are compromised by hackers or other external (and unwanted) agencies, they cannot use those credentials from the Internet. They would still have to gain physical access to the terminals used by the admin staff.
This security methodology revolves around the principle of least privilege, which, in turn, translates into a least risk scenario since the attack surface of the network is significantly reduced.
In view of the looming elections, there is an argument that the DHS should take a leaf out of the security industry’s best practices by adopting this least privilege approach.
But how should the White House go down this path?
Our observations are that the President needs to designate a senior official to be charged with overseeing the project, as well as implementing an insider threat detection and prevention program on a multi-agency basis. In parallel with this, the government and its agencies also need to ensure that their information is properly classified, as well as start researching into the many types of data leak prevention (DLP) technology that are available to today’s businesses.
Coupled with regular self-assessments of current security arrangements — as well as not being afraid to bring in external advisers — this cannot help but engender a positive approach to data security in all its various shapes and forms.
The final step that needs to be taken is to implement a policy of least privilege a process that is easier to implement than many professionals think. Researchers found that, when analyzing published Windows 7 vulnerabilities through March 2010, 57 percent were no longer applicable after removing administrator rights.
In comparison, Windows XP was at 62 percent, Windows Server 2003 was at 55 percent, Windows Vista was at 54 percent, and Windows Server 2008 was at 53 percent.
Whether or not all of this activity is going to result in the death of the insider threat is a moot question. The eradication of the insider threat depends upon two things: The first is the education of people working in government and the realization of people working in government that all of the information they deal with is sensitive and has to be protected.
The second is the determination of IT security departments to implement regimes of least privilege to avoid the influx of super-users who have been able to easily bypass some of those internal security controls, it all looks very easy. Unfortunately, it is not, hence the President’s intervention.
Paul Kenyon is a security specialist at Avecto.