How Edward Snowden roamed the National Security Agency network, stealing documents that would later be released to select media, raises a number of red flags chief security officers should pay attention to, experts say.
While working as an NSA contractor, Snowden used the passwords of other employees and hacked firewalls to enter classified computer systems, The New York Times reported over the weekend. His network movements were not monitored, because the NSA was several months away from turning on tracking software that would trace the activity of employees at the Hawaii facility where Snowden worked.
Media reports on NSA spying based on documents taken by Snowden started in June, sparking an intense national debate on the NSA's collection of massive amounts of data on the Internet activity of Americans and foreigners. Lawmakers have introduced bills in Congress to rein in the NSA.
Law enforcement and intelligence investigators told The Times that they might never have a full tally of the classified information taken by Snowden. He is living and working in Russia, which has granted him asylum for one year.
While the investigation into Snowden continues, experts said Monday that what is known so far should be enough to get CSOs thinking about securing computer systems against malicious insiders.
Too many corporate networks are designed to block intruders from the outside, but don't do enough to catch people stealing data from the inside, either for financial gain or out of revenge for not getting a raise or a promotion.
"They're kind of like an egg," Stephen Perciballi, category leader for security solutions at Softchoice, said of a lot of networks. "It may be somewhat difficult for an outsider to get in, but once you're in there, you can move around quite fluidly."
To catch malicious behavior from the inside, Zak Dehlawi, senior security engineer at Security Innovation, suggested intrusion detection systems (IDS) that are statistical-based. Such systems take a baseline measurement of normal network and computer activity and alert security pros to any deviations, such as increases or decreases in network traffic or strange IP addresses.
However, these systems require constant tuning, since what's normal will vary according to the time of day or year, Dehlawi said.
"Even worse, is if a baseline measurement is taken while an attack is in progress," he said. "From that point on, the attack traffic will be considered normal traffic and will not trigger the IDS."
A relatively new technology that may be useful once it matures is called "behavioral modeling," Kevin Coleman, strategic management adviser on critical technology issues at IT services company SilverRhino, said. Such technology knows how each employee normally uses computer systems and networks and reports all abnormal behavior.
Sign up for CIO Asia eNewsletters.