Mediaboss Marketing

Oversight

The National Security Agency is still not fully implementing all necessary security protocols to minimize the potential of another Edward Snowden-like data breach, according to a newly declassified 2016 Pentagon watchdog report.

In the wake of the Snowden breach, the NSA outlined 40 privileged-access Secure-the-Net initiatives designed to guard against insider threats by tightening controls over data and monitoring of user access.

The Defense Department's Office of the Inspector General audited seven of the STN protocols and found that the NSA implemented or partially implemented four of the audit sample. Those related to developing a new system administration model, assessing the number of systems administrators, implementing two-stage authentication controls and deploying two-person access controls.

According to the heavily redacted report, the NSA culled the number of systems administrators and implemented a tiered system to take away privileged access from those who do not require it.

The report states the NSA only partially implemented two-stage authentication and two-person access controls and did not consistently secure server racks and other sensitive equipment in data centers and machine rooms.

The three audit initiatives where the NSA missed the mark were in reducing the number of privileged users and data transfer agents as well as fully implementing technology to oversee privileged-user activities.

NSA did not effectively implement the three initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness, states the audit. As a result, NSAs actions to implement STN did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

The report states that prior to 2013, the NSA did not know how many privileged users and data transfer agents it had, and that throughout 2014 the number of DTAs actually increased.

The report acknowledges that it is not possible to protect against all insider threats, but stresses that NSA must at least implement all of its own stated protocols.

Although the NSA worked in a fluid situation, NSA should have developed a strategy that detailed a structured framework and methodology for implementing STN to ensure its actions were effective in mitigated vulnerabilities exploited during the security breach, the report states.

The NSAs woes did not end with the Snowden breach. In August 2016, a cryptic group or individual going by the name TheShadowBrokers announced it had acquired a trove of NSA hacking tools and has since been leaking some of the data in an attempt to seduce buyers to pay for the remaining stash.

It is still not clear whether the so-called ShadowBrokers obtained the data through an insider.

The DOD OIG report made three recommendations -- all of which were fully redacted -- and according to the document, the NSA agreed with the recommendations.

The NSA responded to questions about the audit from FCW with an email statement.

The National Security Agency operates in one of the most complicated IT environments in the world, the NSA stated. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock.

According to the statement, the NSA has undertaken a comprehensive and layered set of enterprise defensive measures to further safeguard operations and advance best practices across the Intelligence Community.

NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls, the statement concluded.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

Originally posted here:
Watchdog: NSA needs to boost insider-threat protocols - FCW.com

It appears the NSA hasn't learned much since Ed Snowden left with several thousands of its super-secret documents. Agency officials were quick to claim the leaks would cause untold amounts of damage, but behind the scenes, not much was being done to make sure it didn't happen again.

A Defense Department Inspector General's report obtained via FOIA lawsuit by the New York Times shows the NSA fell short of several security goals in the post-Snowden cleanup. For an agency that was so concerned about being irreparably breached, the NSA still seems primed for more leakage. Charlie Savage reports:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Departments inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times.

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of privileged users, who have greater power to access the N.S.A.s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

Let's not forget the NSA wants to be engaged in ensuring the cybersecurity of the nation. It's repeatedly asked for more power and a better seat in the CyberWar room. But it doesn't even take its OWN security seriously. The NSA told its oversight it was engaging in 40 "Secure the Net" initiatives, directly after the first Snowden leak. Two years later, it told Congress it had completed 34 of 40 STN initiatives. The term "completion" apparently has multiple definitions, depending on who's using the word. The IG sampled only seven of the initiatives and found four were mostly done and three were nowhere near completed. Extrapolating from the sampling, it's safe to assume the NSA's internal security efforts are only slightly more than half-baked.

The three the NSA failed to implement are of crucial importance, especially if it's looking to keep its in-house documents safe at home. From the report [PDF]:

NSA officials did not effectively implement three PRIVAC [Privileged Access]-related STN initiatives:

- fully implement technology to oversee privileged user activities;

- effectively reduce the number of privileged users; and

- effectively reduce the number of authorized DTAs [Data Transfer Agents].

First off, the NSA -- prior to the Snowden leaks -- had no idea how many users had privileged access. Post-Snowden, things hardly improved. Considering the tech capabilities of the agency, it's incredibly amusing to see how the NSA "tracked" privileged users.

NSA officials stated they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users.

Pretty much useless, considering this number the NSA couldn't verify (thanks to its missing spreadsheet) was supposed to be used to establish a baseline for the planned reduction in privileged users. Despite missing this key data, the NSA moved ahead, "arbitrarily revoking access" and asking users to reapply for privileged status. It then reported a reduction by citing the number of users it denied restoration of access privileges. It did not factor in any new users it granted privileged access to or tally up the number of accounts it never bothered to revoke.

As the fully-redacted chart presumably points out (according to the text above it), the NSA had a "continued and consistent increase in the number of privileged users once the [redacted] enrollment process began."

The NSA also claimed it had reduced the number of DTAs. And again, the NSA had no receipts.

Although repeatedly requested, NSA officials could not provide supporting documentation for the total number of DTAs before and after the purge or the actual number of users purged.

The NSA's objectively-terrible internal controls (again) ensured no number could be verified.

NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach.

The NSA handled these missing numbers the same way it had privileged users: it made up a new baseline, arbitrarily decided it could show a downtrend in DTAs, and delivered this as "proof" of another completed security initiative.

The report points out repeatedly the NSA's failure to provide documentation backing its STN claims -- either from before the initiatives took force or after they supposedly hag been completed. The IG's comments note the NSA's response to the report ignored its detailed description of multiple failures in order to spin this as a "win" for the agency.

Although the Director, Technology Directorate NSA/CSS Chief Information Officer, agreed, he did not address all the specifics of the recommendation. Therefore, we request that the director provide additional comments on the final report that identify specific actions NSA will take.

Here's how the NSA portrayed the report's findings:

While the Media Leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a "good news" story.

Sure, if you consider a half-done job securing NSA assets to be "good news," rather than just an ongoing series of security holes left halfway unplugged while agency officials testify before Congressional oversight in front of a "MISSION ACCOMPLISHED" banner backdrop.

See the article here:
Oversight Report Shows NSA Failed To Secure Its Systems Following The Snowden Leaks - Techdirt

Circa News has been covering the alleged abuses of the intelligence community against Americans. They noted how the unmasking protocol for intercepts collected by the National Security Agency changed under the Obama administration, supposedly to better catch terrorists prepping for lone wolf attacks, could open Americans up to political espionage. Then, they wrote about how the FBI may have illegally shared spy data on Americans with unauthorized parties who did not have clearance to view such information. The Foreign Intelligence Surveillance Court (FISA) wrote a ten-page ruling listing hundreds of privacy violations committed by the FBI when gathering information during the tenure of then-FBI Director James Comey. Now, a former NSA contractor has filed a lawsuit against James Comey, allegedly a covering up the illegal methods that are being used to monitor Americans and violate their constitutional privacy rights. Once again, John Solomon and Sara Carter were on the case.

The contractor Dennis Montgomery reportedly took multiple hard drives containing 600 million classified documents to prove how the intelligence community is violating Americans privacy. He was granted immunity, but the FBI never followed through. The FBI has documentation of them taking possession of the hard drives. Montgomery alleges that over 20 million Americans identities were illegally unmasked:

A former U.S. intelligence contractor tells Circa he walked away with more than 600 million classified documents on 47 hard drives from the National Security Agency and the CIA, a haul potentially larger than Edward Snowden's now infamous breach.

And now he is suing former FBI Director James Comey and other government figures, alleging the bureau has covered up evidence he provided them showing widespread spying on Americans that violated civil liberties.

The suit, filed late Monday night [June 12] by Dennis Montgomery, was assigned to the same federal judge who has already ruled that some of the NSA's collection of data on Americans violates the U.S. Constitutions Fourth Amendment, setting up an intriguing legal proceeding in the nations capital this summer.

Montgomery says the evidence he gave to the FBI chronicle the warrantless collection of phone, financial and personal data and the unmasking of identities in spy data about millions of Americans, This domestic surveillance was all being done on computers supplied by the FBI," Montgomery told Circa in an interview. "So these supercomputers, which are FBI computers, the CIA is using them to do domestic surveillance."

[]

Montgomery alleges that more than 20 million American identities were illegally unmasked - credit reports, emails, phone conversations and Internet traffic, were some of the items the NSA and CIA collected.

He said he returned the hard drives to the FBI, a fact confirmed in government documents reviewed by Circa.

As Congress wallows in Russian collusion hysteria, maybe they should also put these under the microscope since a) its more grounded in reality; and b) there appears to be an actual paper trail.

Here is the original post:
ICMYI: Former NSA Contractor Sues James Comey, Alleges Cover Up Of Spy Activities On Over 20 Million Americans - Townhall

The National Society of Accountants and their Scholarship Foundation announced this week that 30 students have been awarded this year's annual scholarships, receiving $37,950 in all.

This year's scholarships ranged from $500 - $3,000. Undergrad and graduate students were chosen based on their notable academics, leadership, activities on and off campus, career goals, and individual financial need.

These students are the best and brightest candidates working to earn accounting degrees, stated NSA Scholarship Foundation president Sharon Cook. We are pleased to support them and look forward to having them join the accounting profession.

The NSA's Scholarship Foundation has now provided over $1 million to students pursuing an accounting career since its inception in 1969.

Below are the 2017 scholarship winners, listed alongside their current universities, NSA Affiliated Organization or scholarship, and scholarship value:

For more information on the NSA's Scholarship Foundation, head to organization's site here.

Sean McCabe is a senior editor with Accounting Today.

More here:
NSA Scholarship Foundation names 2017 recipients - Accounting Today

Columbus Ledger-Enquirer

Columbus State hosts NSA-sponsored cybersecurity camp Columbus Ledger-Enquirer Columbus State University kicked off a free weeklong cybersecurity summer camp Monday, with the help of a $28,000 grant from the National Security Administration. Professors Jianhua Yang and Sumanth Yenduri, both of the university's TSYS School of ...

Continued here:
Columbus State hosts NSA-sponsored cybersecurity camp - Columbus Ledger-Enquirer