Mediaboss Marketing

After reading through the 61 pages of redacted content of the August 2016 DOD Inspector Generals report on the National Security Agencys (NSA) implementation of the Secure-the-Net initiative, acquired by The New York Times via a Freedom of Information Act (FOIA) request, the only image one can conjure up is that of the Katzenjammer Kids running amok.

The NSA data protection (or lack thereof) was thrust into the spotlight when Edward Snowden, then a contractor in Hawaii, purloined 1.5m documents. How Snowden carried out his massive data collection is interesting, as he used his natural access and then conned his colleagues into giving up their internal access credentials in his role as the system admin. In the months that followed there were no shortage of opinions on how the NSA could or should tighten up its ship.

The Secure-the-Net (STN) initiative was launched post-Snowden, which included 40 specific recommendations focused on insider threats to NSA systems, data, and infrastructure. Seven of those recommendations were designed to secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access.

The seven STN initiatives were:

The Department of Defense (DOD) report reviewed the NSAs progress on tightening up its ship with respect to the seven STN recommendations. The audit was conducted at four facilities between January and July of 2016.

The DOD report takes the NSA to the woodshed. Not because the NSA didnt attempt to implement, but rather, because they did a half-ass job in the implementation.

The reports scorching verbiage surrounds this partial implementation of the recommendations: for example, the

NSA did not effectively implement the three privileged access related STN initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness.

For example, with respect to two-factor authentication (2FA), the NSA implemented it for system admins, but not for those with privileged access. It is well documented how Snowden bypassed the then presentprivileged access controls and conned his colleagues into giving him their credentials which he then went on to use to expand his access.

A 2FA requirement would have required the owner of the credentials to have been participatory in Snowdens use of their credentials. NSA implementation as described in the report shows how they opted to leave open the very window that Snowden climbed through to harvest the data he stole.

Furthermore, the report goes on to chastise the NSA for not having a clue about how many individuals had privileged access in 2014, nor in 2016, and nor could the NSA document how the purge/pruning had been carried out. That meant the inspection team couldnt find out exactly how many people had privileged access.

While focus has largely been on the trusted insider gone bad, Edward Snowden, the Shadow Brokers acquisition of NSAs Office of Tailored Access Operations (TAO)collection tools compromise clearly indicates a need by the NSA to continue to place their focus on locking down their own house.

How the TAO compromise occurred remains a mystery. It could have been an insider (contractor or staff) or it might have been a result of the contractor alleged to have built the exposed tools, the Equation Group, having themselves been hacked. Coincidentally, the inspector general report was published the week after the Shadow Brokers offered the TAO tools for auction. An active August 2016 indeed.

But what of the NSA contractor Harold Martin, another NSA insider?Martin, who worked for Booz Allen Hamilton, he was found to have hoarded up to 50 terabytes of NSA information. The indictment on Martin was sealed until October 2016, but he was arrested on 27 August 2016, yes two days prior to the arrival of the inspectors general report. August 2016 was truly a busy month in the world of espionage and counterespionage.

Is it hard to catch an insider?Yes, it is. If the individual does not exceed their natural access, process and procedures, they will be difficult to detect, and while it is safe to say that 100% is not achievable, there are steps which can be taken to secure the environment to bring the risk as close to zero as possible. This was the intent of the STN.

Has there been any good to come out of the STN? Absolutely, the National Industrial Security Program of the United States, marshaled by the Defense Security Service, has brought into play their mandatory insider threat program at all cleared facilities and contractors. These programs became mandatory on June 1 2017.

One might recall the recent arrest of NSA contractor, Reality Winner, also a contractor from Booz Allen Hamilton, who took a highly classified document assessing and discussing the Russian military intelligence entitys (the GRU) hand in meddling in the US election. Winner, using her privileged access, printed out the report, and then mailed it to a media outlet. Once the NSA saw the document, they quickly determined who had had access, who had printed the document and then who had had contact with a media outlet.

What they apparently werent able to do was to determine how and why Winner had privileged access to information to information about which she had no need to know.

One could argue this rapid-fire capability used to identify Winner would not have been present without the STN initiatives. On the other hand, one might surmise the privileged access portion of NSAs STN program continues to need tweaking.

Link:
NSA failed to implement security measures, says damning report - Naked Security

A declassified report from the Defense Department Inspector General has been released, according to the New York Times.

The 60-page report commissioned by Congress assesses 7 of the 40 components that the National Security Agency outlined for their Secure the Net initiative. This initiative was put forth to help improve the security of sensitive systems after the Snowden disclosures in 2013.

The NSA, according to the inspector generals report, had some successes, but the overall initiative did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

According to the Times, the report details how their efforts fell short, including the failure to reduce the number of privileged users who can access sensitive computer systems; their failure to consistently keep data center machine rooms secure, as well as failing to lock the server racks containing highly classified data; and the failure to fully implement software that would monitor users.

The report also noted the agencys failure to declare an exact number of people with abilities to transfer data. The lists containing this information were kept on spreadsheets that were corrupted and are no longer available.

The inspector generals report noted that NSA CIO Gregory Smithberger told the inspector general that the elimination of all insider risks and threats is not feasible. He told the Times, While the media leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a good news story.

The importance of securing classified information, as the report warns, was underscored the same month the inspector generals report was produced, according to the Times. In August 2016, a group called the Shadow Brokers obtained and auctioned off classified hacking tools allegedly from the NSA some of which were dumped online. Those tools were later seen as part of the global WannaCry ransomware attack.

We welcome the observations and opportunities for improvement offered by the U.S. Defense Departments Inspector General, Vanee Vines, spokesperson for the NSA told the Times. NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls.

Read this article:
Secure the Net initiative found to be an overall failure for NSA - Federal Times

VR Systems provides voter registration software and hardware to elections offices in eight states. Courtesy of VR Systems hide caption

VR Systems provides voter registration software and hardware to elections offices in eight states.

The Florida elections vendor that was targeted in Russian cyberattacks last year has denied a recent report based on a leaked National Security Agency document that the company's computer system was compromised.

The hackers tried to break into employee email accounts last August but were unsuccessful, said Ben Martin, the chief operating officer of VR Systems, in an interview with NPR. Martin said the hackers appeared to be trying to steal employee credentials in order to launch a spear-phishing campaign aimed at the company's customers.

VR Systems, based in Tallahassee, Fla., provides voter registration software and hardware to elections offices in eight states.

"Some emails came into our email account that we did not open. Even though NSA says it's likely that we opened them, we did not," Martin says. "We know for a fact they were never opened. They did not get into our domain."

VR Systems COO Ben Martin told NPR that no elections vendor would send customers software updates once voting had begun, which it had in this case. Dina Ivory/Courtesy of VR Systems hide caption

Instead, Martin said, the company isolated the suspicious emails and alerted law enforcement authorities, who it was already working with because of two attempts to break into state voter registration databases earlier last summer.

The NSA document said that at least one of the company's email accounts was "likely" compromised based on information uncovered later in the spear-phishing campaign. That attack took place days before the November election and involved fake emails sent to as many as 122 local election officials in an apparent effort to trick them into opening attachments containing malicious software.

"They tried to pretend to be us to leverage our relationship with our customers," said Martin.

But Martin noted that while the NSA says the emails were made to look as if they came from VR Systems, they were sent from a phony email address vr.elections@gmail.com. He said his company does not use Gmail and never sends its customers documents in the form of email attachments. He added that no elections vendor would send customers software updates once voting had begun, which in this case it had.

"That's why I believe most of our customers knew immediately that this was bogus," said Martin. The company was alerted to the fake emails by one of its customers, and Martin said it immediately warned its other customers. So far, there is no evidence that any of the recipients opened the attachments or had their systems infected with the malicious software.

Still, cybersecurity experts say the attempted attacks are a clear sign of Russian interest in interfering with U.S. elections either by manipulating votes or causing chaos at the polls. Some have warned that vendors might be exploited to gain access to local or state voting systems.

In this case, the NSA report concluded that the purpose of the malicious software was "to establish persistent access or survey the victim for items of interest to the threat actors." While last year's attacks appeared to only involve voter registration systems, some experts say such systems can be used as a gateway to actual voting machines.

The Senate and House intelligence committees will explore Russia's efforts to interfere in U.S. elections last year and how to prevent future attacks at two hearings on Wednesday. Former Secretary of Homeland Security Jeh Johnson will appear before the House committee. The Senate panel will hear from current U.S. intelligence officials and state election experts.

View post:
Despite NSA Claim, Elections Vendor Denies System Was Compromised In Hack Attempt - NPR

When Edward Snowden walked out of the NSA in 2013 with thumb drives full of its most secret files, the agency didn't have a reliable list of peoplelike Snowdenwho had privileged access to its networks. Nor did it have a reliable list of those who were authorized to use removable media to transfer data to or from an NSA system.

That's one of the alarming revelations in a Department of Defense Inspector General report from last year. The report, which was ordered by Congress, reviewed whether the NSA had completed some of the most important initiatives it has started in response to the Snowden leak to make its data more secure. The New York Times obtained the DOD IG report via FOIA.

The most shocking detail in the report is that even at the new National Security Agency data center in Utah, "NSA did not consistently secure server racks and other sensitive equipment" in data centers and machine rooms. At the Utah Data Center and two other facilities, the report stated, "we observed unlocked server racks and sensitive equipment." The finding that the NSA wasn't locking down all its server racks was first disclosed and reported in a House Intelligence Committee Report on Edward Snowden's leaks released in December.

But the more fundamental problem revealed in the report is that the NSA has done little to limit the number of people who have access to what are supposed to be the most protected hardware the NSA has.

The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorized to use removable media to transfer data to or from an NSA system (what the report calls DTAs).

The government's apparent lack of curiosity is fairly alarming

But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak. With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."

There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable. The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels. Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.

NSA headquarters in Maryland. Image: MJB/Flickr

The government's apparent lack of curiosityat least in this reportabout which of these was the case is fairly alarming, because it is a critically important question in assessing why NSA continues to have serious data breaches. For example, it would be important to know if Hal Martin, the Booz Allen Hamilton contractor accused of stealing terabytes of NSA data in both hard copy and digital form, showed up on these lists or if he simply downloaded data for decades without authorization to do so.

Even given the real concern that Russia or someone else might have reason to want to make the names of PRIVACs and DTAs inaccessible at precisely the time the NSA reviewed the Snowden breach, the NSA's subsequent action does provide support for the likelihood the agency itself was hiding how widespread PRIVAC and DTA access was. For both categories, DOD's Inspector General found NSA did not succeed in limiting the number of people who might, in the future, walk away with classified documents and software.

With PRIVACs, the NSA simply "arbitrarily" removed privileged access from some number of users, then had them reapply for privileged access over the next 3 months. The NSA couldn't provide DOD's IG with "the number of privileged users before and after the purge or the actual number of users purged." After that partial purge, though, NSA had "a continued and consistent increase in the number of privileged users."

As with PRIVACs, the NSA "could not provide supporting documentation for the total number of DTAs before and after the purge" and so was working from an "unsubstantiated" estimate. After the Snowden leak, the NSA purged all DTAs and made them reapply, which they did in 2014. The NSA pointed to the new number of DTAs and declared it a reduction from its original "unsupported" estimate. When asked how it justified its claim that it had reduced the number of people who could use thumb drives with NSA's networks when it didn't know how many such people it had to begin with, the NSA explained, "although the initiat[iv]e focused on reducing the number of DTA, the actions taken by NSA were not designed to reduce the number of DTAs; rather they were taken to overhaul the DTA process to identify and vet all DTAs." The IG Report notes that the NSA "continued to consistently increase the number of DTAs throughout the next 12 months."

When, in 2008, someone introduced a worm into DOD's networks via a thumb drive, it decreed that it would no longer use removable media. Then, after Chelsea Manning exfiltrated a bunch of documents on a Lady Gaga CD, the government again renewed its commitment to limiting the use of removable media. This report reveals that only in the wake of the Snowden leaks did the NSA get around to developing a vetted list of those who could use thumb drives in NSA's networks. Yet as recently as last year, Reality Winner (who, as an Air Force translator, was presumably not a privileged access user at all) stuck some kind of removable media into a Top Secret computer, yet the government claims not to know what she downloaded or whether she downloaded anything at all (it's unclear whether that Air Force computer came within NSA's review).

When contacted with specific questions about its inability to track privileged users, the NSA pointed to its official statement on the DOD IG Report. "The National Security Agency operates in one of the most complicated IT environments in the world. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock." The Office of Director of National Intelligence did not immediately respond with comment to my questions.

Yet this issue pertains not just to the recent spate of enormous data breaches, which led last month to the worldwide WannaCry ransomware attack using NSA's stolen tools. It also pertains to the privacy of whatever data on Americans the NSA might have in its repositories. If, three years after Snowden, the NSA still hasn't succeeded in limiting the number of people with the technical capability to do what he did, how can NSA ensure it keeps Americans' data safe?

Read the original here:
The NSA Has Done Little to Prevent the Next Edward Snowden ... - Motherboard

Oversight

The National Security Agency is still not fully implementing all necessary security protocols to minimize the potential of another Edward Snowden-like data breach, according to a newly declassified 2016 Pentagon watchdog report.

In the wake of the Snowden breach, the NSA outlined 40 privileged-access Secure-the-Net initiatives designed to guard against insider threats by tightening controls over data and monitoring of user access.

The Defense Department's Office of the Inspector General audited seven of the STN protocols and found that the NSA implemented or partially implemented four of the audit sample. Those related to developing a new system administration model, assessing the number of systems administrators, implementing two-stage authentication controls and deploying two-person access controls.

According to the heavily redacted report, the NSA culled the number of systems administrators and implemented a tiered system to take away privileged access from those who do not require it.

The report states the NSA only partially implemented two-stage authentication and two-person access controls and did not consistently secure server racks and other sensitive equipment in data centers and machine rooms.

The three audit initiatives where the NSA missed the mark were in reducing the number of privileged users and data transfer agents as well as fully implementing technology to oversee privileged-user activities.

NSA did not effectively implement the three initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness, states the audit. As a result, NSAs actions to implement STN did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.

The report states that prior to 2013, the NSA did not know how many privileged users and data transfer agents it had, and that throughout 2014 the number of DTAs actually increased.

The report acknowledges that it is not possible to protect against all insider threats, but stresses that NSA must at least implement all of its own stated protocols.

Although the NSA worked in a fluid situation, NSA should have developed a strategy that detailed a structured framework and methodology for implementing STN to ensure its actions were effective in mitigated vulnerabilities exploited during the security breach, the report states.

The NSAs woes did not end with the Snowden breach. In August 2016, a cryptic group or individual going by the name TheShadowBrokers announced it had acquired a trove of NSA hacking tools and has since been leaking some of the data in an attempt to seduce buyers to pay for the remaining stash.

It is still not clear whether the so-called ShadowBrokers obtained the data through an insider.

The DOD OIG report made three recommendations -- all of which were fully redacted -- and according to the document, the NSA agreed with the recommendations.

The NSA responded to questions about the audit from FCW with an email statement.

The National Security Agency operates in one of the most complicated IT environments in the world, the NSA stated. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock.

According to the statement, the NSA has undertaken a comprehensive and layered set of enterprise defensive measures to further safeguard operations and advance best practices across the Intelligence Community.

NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls, the statement concluded.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

Originally posted here:
Watchdog: NSA needs to boost insider-threat protocols - FCW.com