web analytics

Snowden-Proofing the NSA

by Mark Graban on June 17, 2013 · 5 comments

usb flash drive 150x150 Snowden Proofing the NSA leanRegardless of whether you think the NSA leaks that Edward Snowden admitted to make him a hero or a traitor, it begs the question:

How is the National SECURITY Agency so bad at securing its own information? They’re better at snooping than securing, I guess.

This article has an explanation:  NSA leaker Ed Snowden used banned thumb-drive, exceeded access.

From the article:

Edward Snowden, the contract employee who leaked details of the agency’s broad-scale data gathering on Americans, exceeded his authorized access to computer systems and smuggled out Top Secret documents on a USB drive — a thumb-sized data storage device banned from use on secret military networks.

He should not have been able to do either of those things” without setting off alarm bells, said one private sector IT security specialist who has worked on U.S. government classified networks. He spoke on condition of anonymity because of the sensitivities of his current employer.

Here’s a perfect example of a policy not being policed or followed very well. The same might be true in a factory (there’s a policy that safety glasses must be worn) or in a hospital (a policy says staff members always wash or disinfect their hands before entering/leaving a patient room). The written policy is pretty meaningless if it’s not being followed.

The NY Times said  he was “left loosely supervised” by the NSA and the contractor Booz Allen Hamilton. It sounds like there was some poor management or other systemic breakdowns that helped allow Snowden to get away with this.

I don’t know how the NSA or other agencies police this, but one idea would be supervisors or security being on the lookout for such devices. When one is seen, corrective action must be taken (just as supervisors have a responsibility to speak up if somebody’s not wearing their glasses or washing their hands).

Compared to glasses and hands, it might be easier to mistake proof  against the use of USB devices.

Again, from the Washington Times:

A number of commercially available programs can switch off the USB port of every computer on the network.

“There is easily available software to do that,” said the security specialist…

There are different ways of blocking USB port access, with pros and cons (as written about here).

The Washington Times article talks not only about software fixes, but also physical (hardware) prevention:

“I have seen places where they used a hot glue gun to block it,” he said of the USB port.

While this article calls that a “dumb” tactic, it seems that physically blocking or damaging the port might be pretty effective (and inexpensive). I’m surprised that big vendors, like Dell, for example, don’t offer PCs with zero USB ports built in to be sold to high-security environments.

While physically disabling the port might qualify as a kaizen-style idea (being more clever than expensive), there could be side effects, such as the ports not being available for legitimate uses.

Either way, why is the NSA apparently so ineffective at monitoring its own staff and contractors, yet alone monitoring the entire world’s communications?


Mark Graban 2011 Smaller Snowden Proofing the NSA leanAbout LeanBlog.org: Mark Graban is a consultant, author, and speaker in the “lean healthcare” methodology. Mark is author of the Shingo Award-winning books Lean Hospitals and Healthcare Kaizen, as well as the new Executive Guide to Healthcare Kaizen. Mark is also the VP of Innovation and Improvement Services for KaiNexus.


pixel Snowden Proofing the NSA lean
photo by: Ambuj Saxena
pinit fg en rect gray 28 Snowden Proofing the NSA lean
Please consider leaving a comment or sharing this post via social media.

{ 5 comments… read them below or add one }

1 Mark Graban
Twitter:
June 17, 2013 at 9:57 am

From LinkedIn:

Barry Alexander: Simple do as they did in securing nuclear secrets. No USB ports, removable hard drives that are in safes and must be signed out, no internet, no burners, in short no way to move data other than your brain. Oh and no cell phones or coverage. Simple!!

Reply

2 Chad Walters
Twitter:
June 17, 2013 at 10:16 am

I think that’s a liiiiiiiittle extreme, but I do have a couple of notes to add.

One, one of my clients has software that prevents the use of any USB device not “formatted” to their systems. I tried to transfer data from one of their computers to mine for a presentation and it did not take. We instead emailed the files, but there’s at least a “paper trail” for such sharing of information.

Two, I have a grad school classmate who worked for a company that would be hired by larger firms to attempt to hack into their systems. His job was to find all potential workarounds and potential security vulnerabilities, finding ways to get to sensitive data (but not actually take it). You’d think the NSA would be using such companies to test themselves against such vulnerabilities like this. I bet they would have frowned on the use of outside USB devices like this.
Chad Walters recently posted..Pittsburgh Pirates and Poor Security Planning and DeploymentMy Profile

Reply

3 Mark Graban
Twitter:
June 17, 2013 at 10:29 am

There’s a lot of sensitivity around this in the defense industry, where my wife works (private sector). They all receive a lot of training about not using USB drives… one of the old infiltration attempts would be for somebody to drop a USB drive somewhere. A well intentioned person finds it and, of course, plugs it into a computer to try to identify the owner. Oops, you’ve infected your computer and network with a virus.

(I actually lost a USB drive about 10 years ago and a person called me to let me know they had found it, identifying me based on the files that were on the drive).
Mark Graban recently posted..Snowden-Proofing the NSAMy Profile

Reply

4 Mark Graban
Twitter:
June 17, 2013 at 1:52 pm

I found this article that says Snowden, as an IT administrator, was probably in a job where the use of USB drives would have been permitted:

Thumb Drive Security: Snowden 1, NSA 0

In general, the use of removable USB storage devices is prohibited inside the agency. “Of course, there are always exceptions” to that rule, said the official. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.”

One job role that would require using removable storage, however, would be that of IT or systems administrator, which was Snowden’s job at the NSA, although he was a contractor employed by Booz Allen Hamilton.

The article says the security is based on “trust.”
Mark Graban recently posted..Stuff I’m Reading – June 14, 2013: Sleepy Banker, Concerned Workers, Cost Diversity, Conference DiversityMy Profile

Reply

5 Leon Shivamber
Twitter:
August 17, 2013 at 10:09 am

Mark, many failures are evident when one examines what happened here. You hit the nail on the head. It’s not just about having access, but what data one can accumulate and take out the door. This Snowden problem is relevant to all organizations, not just the NSA, and could have been avoided with a few simple fixes.
Leon Shivamber recently posted..Are you at risk of creating a Snowden problem in your organization?My Profile

Reply

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge

Previous post:

Next post: