Government Security: Saying 'No' Doesn't Work - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
09:06 AM
Steve Jones
Steve Jones
Connect Directly

Government Security: Saying 'No' Doesn't Work

It's time for government agencies to move beyond draconian security rules and adopt anomaly analytics.

Governments are cautious. They love security rules and access management and generally lean towards saying "no" to most things. Some of that is certainly required, but Edward Snowden and other security breaches have shown that rules aren't actually very effective when dealing with social engineering attacks.

Edward Snowden, as an IT systems administrator employed by the National Security Agency, was allowed access to classified information as part of his job. His role and credentials meant that he was able to compromise sensitive NSA data, easily circumventing its advanced security systems, software, and policies without raising any eyebrows -- until it was too late.

As a graduate student, I worked in the defense sector. As a part of our training, my team was asked to experiment with some social engineering around people's passwords to see what would be revealed. We grabbed clipboards and ventured out into our organization to time how long it took employees to enter passwords. Looking over people's shoulders, we would start the stopwatch, mark down their username, and see if we could successfully figure out their passwords as they typed.

[Ready for the next hurricane? Read 5 Steps To Storm-Proof Your Data.]

If we couldn't figure out the password, we'd remark to these individuals how he or she had been particularly fast or slow with their password input and then ask them what their password was. A remarkable percentage of employees (more than 50%) gave us their passwords without ever questioning our motives.

What is the lesson here? This experiment revealed to us that social engineering remains one of the most effective ways to steal data, and that an internal threat (however small) is still a major threat vector for data loss. You can add as many access control, verification, and other secure technologies as you wish, but they will be rendered completely ineffective if someone either sets out to steal information or is successfully conned into giving up their credentials.

Within government departments, the overwhelming role of security teams appears to be the hackneyed "Just Say No" message trotted out by the anti-drug campaigns of the 80s. This has led to employees actively subverting policies in order to get their work done more quickly and efficiently. For example, a qualified employee deemed a sys-admin gains access to everything. The rules may say that only one person in the department can do the approvals, but often these qualified individuals end up allowing unauthorized employees to access their accounts to prevent themselves from becoming a bottleneck.

Your network may have all of its security software patched, virtual machines in place, and the virtual desktop infrastructure (VDI) to prevent attacks, but there are individuals both inside and outside any organization pushing new threats and new vectors. This leaves organizations reacting to these attacks after the fact. By reactively putting more restrictions in place, they slow down government work even further.

The solutions for smarter security need to be less linear as threats become more complex. Security isn't a binary concept of "horse in barn" or "horse bolted." Edward Snowden was technically accessing information within his allowed parameters, but what was unusual about his actions was that he was able to download this information. Government departments contain data that would be highly valuable for other governments, corporations, and criminals. Government security policies, however, have barely accepted the Internet and email as viable communication mechanisms -- a view that needs to shift quickly as cloud services, SaaS, and the need for more efficient government become ever more pressing drivers of change.

Consider this example: If someone approves an invoice that is out of his or her role because it gets the job done more quickly, what does this mean? It isn't necessarily fraudulent behavior, but it could be. An organization will first want this behavior stopped, and then will want a manager notified to be able to make a sensible decision on what should be done. Or what if

Steve Jones is Capgemini's Group Strategy Director for Big Data and Analytics. He is the author of Enterprise SOA Adoption strategies and the creator of the Business Data Lake reference architecture, the first unified approach to big and fast data analytics. He has worked ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Gary Scott
Gary Scott,
User Rank: Moderator
8/12/2014 | 7:45:45 PM
Effective way to steal data
The most effective way to steal data is to have access to the hardware (hard drives and backup tapes).  When it comes time to retire and dispose of old PCs and servers, equipment is usually moved from a secure area to a warehouse, storage area or unused office and ending up at a recycling facility. 

Securing data requires securing access to digital data.  Have your hard drives and backup tapes shredded before they leave the secure area.
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll