Is the President's new task force, launched last fall, really going to deal with the insidious role of the insider threat? Paul Kenyon, Avecto COO, recommends some security industry best practices.
The inability of the US government to detect insider threats and behaviors quickly and accurately from its array of vast live databases has got to stop - it's official and it's an order from the President himself. However, as President Obama has found to his cost in other arenas, issuing an order or winning a vote in Congress is only the beginning, and this is an ambitious project being undertaken by the Defense Advanced Research Projects Agency (DARPA), which is not expected to fail.
The executive order signed by President Obama was the result of a seven-month review by his administration in which the White House sought to find a proper balance between security and the need for agencies to share classified information. This was, of course, one of the weaknesses revealed by the Sept. 11, 2001, terrorist attacks.
Under the executive order, the government will create a special committee to coordinate information-sharing and to ensure that agencies that use classified computer networks protect information.
Each agency will have a senior official oversee classified information and be responsible for safety measures.
Several departments and agencies — including the Pentagon and the Central Intelligence Agency — have already taken steps to control people's ability to place classified data on disks or removable memory devices, as well as limiting the number of users with permission to use such devices.
"Our nation's security requires classified information to be shared immediately with authorized users around the world but also requires sophisticated and vigilant means to ensure it is shared securely," says President Obama's order.
Specifically, the order mandates Attorney General Eric Holder and the US director of national intelligence, James Clapper, to establish an `Insider Threat Task Force' to find ways to deter and detect security breaches.
Against the backdrop of existing government agencies, some critics have questioned the need for yet another agency to deal with security matters, but it is worth noting that it has been almost six years since the inception of WikiLeaks, yet the government has only just begun to identify methodologies to combat insider threats within the military.
The bottom line here is that the government needs to move swiftly if it is to maintain credibility — especially in an election year.
Earlier in 2011 the White House revealed language on new legislation directing private industries to improve computer security voluntarily — and have those standards reviewed by the Department of Homeland Security.
The government, all the way from federal to state, and down to city levels, clearly has plenty of work to do on preventing insider attacks. Our view is that it is about time the White House has caught up on ideas — and technology — that many corporate clients have known about for several years.
Establishing a least-privilege environment is the first step to achieving an IT environment whereby everyone can still be productive, while at the same time remaining secure.
The White House, of course, may not be taking this route to better security for all the right reasons, as there is an argument to show that it is simply looking to avoid another WikiLeaks Cablegate by creating more agency oversight - and security - for data stored on classified networks.
It is worth noting that the executive order signed by President Obama creates a number of new inter-agency governing bodies that will work together to oversee the protection of classified information across federal agencies and departments, while at the same time balancing the needs of federal users that have permission to access it.
The order also makes federal organizations responsible for the sharing and protection of their classified information, as well as mandating that they designate a senior official to oversee these tasks.
In addition, agencies and departments must willingly provide information for independent assessments of their compliance with security policy and standards, as well as implement an insider threat detection and prevention program, which is where the Insider Threat Task Force enters the frame.
In addition to the task force, the executive order also sets up a series of committees to ensure agency compliance with the security measures and to facilitate interagency coordination — the Senior Information Sharing and Safeguarding Steering Committee will have overall responsibility for the new policies and be held accountable for department and agency compliance.
Senior officials from the Department of Defense (DOD) and the National Security Agency (NSA) will jointly act as a new Executive Agent for Safeguarding Classified Information on Computer Networks to develop technical policies and standards to protect classified information.
The plan is for this Executive Agency to also be responsible for third-party assessments of agency compliance.
It's also worth noting that, as officials were laying the groundwork for the new policies, the Insider Threat Task Force has been working informally since June of last year to clarify policies in several priority security areas.
For example, a number of departments and agencies already have standardized policies for removable media, limiting the number of users who are permitted to use such devices.
To beef up their online identity management, administrators of classified systems have also enacted measures to strengthen online identity management policies and their ability to track information being accessed by these users.
So will the executive order stop sophisticated attacks, as exemplified by complex and targeted malware such as Stuxnet and Duqu? Our belief is that this is debatable, but the use of augmented security layers — such as privilege management — can greatly assist in this regard.
Least privilege, least risk
Effective privilege management allows IT professionals to control who has access to specific applications running on the corporate IT platform, as well as the underlying data.
This means, for example, that if the admin team only run their control and security software from within the network perimeter on known PCs, then access to those applications can be locked down to specific on-network and even on-workgroup computers.
Then, even if a set of admin account credentials are compromised by hackers or other external (and unwanted) agencies, they cannot use those credentials from the Internet, they would still have to gain physical access to the terminals used by the admin staff.
This security methodology revolves around the principle of least privilege, which in turn translates into a least risk scenario, since the attack surface of the network is significantly reduced.
In view of the looming elections, there is an argument that the Department for Homeland Security should take a leaf out of the security industry's best practices by adopting this least privilege approach.
But how should the White House go down this path?
Our observations amongst clients are that the President needs to designate a senior official to be charged with overseeing the project, as well as implementing an insider threat detection and prevention program on a multi-agency basis.
In parallel with this, the government and its agencies also need to ensure that their information is properly classified, as well as start researching - if they have not already done so - the many types of DLP (data leak prevention) technology that are available to today's businesses.
Coupled with regular self-assessments of current security arrangements - as well as not being afraid to bring in external advisers - this cannot help but engender a positive approach to data security in all its various shapes and forms.
The final step that needs to be taken is to implement a policy of least privilege — a process that is easier to implement than many professionals think.
Researchers found that, when analyzing published Windows 7 vulnerabilities through March 2010, 57 per cent were no longer applicable after removing administrator rights.
In comparison, Windows 2000 was at 53 per cent, Windows XP was at 62 per cent, Windows Server 2003 was at 55 per cent, Windows Vista was at 54 per cent, and Windows Server 2008 was at 53 per cent.
Guest Contributor Paul Kenyon is the Chief Operating Officer of Avecto, a provider of Windows Privilege Management technology.