Surprised about Edward Snowden's leaks of classified data to the entire world? Well, it shouldn't be a surprise to everyone. Snowden's now-famous revelations follow a set of known, predictable patterns that his managers might well have recognized, if they were looking.
My January 2013 report, Insider Theft Through IT Sabotage, describes the perfect storm of conditions that led to Snowden's acts. Saboteurs will continue to "surprise" the management of organizations that don't consider the following.
Who, what, when, where, how?
IT insiders commit 21% of cyber incidents, and systems administrators (like Snowden) are among the principal instigators of information systems sabotage. The crime is conceived and set up while the perpetrator is still employed and is put into effect after he leaves. Sabotage like Snowden's is clearly a premeditated, not an impulsive act; this is the most frequent scenario in cases of massive or damaging leaks like this.
Insider sabotage happens when a person already possessing access privileges inflicts damage by exploiting flaws in the management of an organization. Employee turnover and employers' widespread dependency on contractors increases the vulnerability of an enterprise's operations. Once an employer grants access privileges, an expert insider can commit sabotage using practices identical to those used during the regular workday. Stopping such occurrences is difficult or unfeasible since access permissions are already covered by procedures that many insiders know how to circumvent.
Saboteurs often have the luxury of time; they may take weeks or months to find the enterprise's most vulnerable points and test their ability to conceal their acts. Saboteurs usually set up access paths with connections for subsequent attacks - hidden "backdoor" accounts and remote network administration tools allow them to disable defense systems, even through an external network access point.
Sabotage is generally initiated outside of working hours, and blocking physical access to work locations is completely ineffective. Defenses against sabotage must therefore lodge within a company's operating practices.
Preventing sabotage takes exceptional vigilance on management's part. Automated security measures are only the first step, and they can be ineffectual against a determined saboteur. The enterprise must create ongoing surveillance at points of high-security risk. For effective defense against saboteurs, management must systematically watch and review every employee, even those who are trusted, on an ongoing basis. This is especially true of employees engaged in network management, audit oversight, and other critical positions.
Inhibiting insider breaches must start with a hiring process that focuses not only on the immediate position, but also on expectations for the future. For critical positions, it is imperative for management to conduct exhaustive interviews with prior associates. Enterprises should look out for disgruntled employees, a primary group of perpetrators of IT sabotage. Management's awareness of unusual conduct is often the first step in identifying high-risk employees. There is a correlation between deviant behaviors and insider sabotage, although most criminal events are only discovered in retrospect, unless management is exceptionally careful.
The enterprise must create fail-safe internal oversight functions. It takes more than one individual to manage critical systems; regardless of the size of the IT organization, there should be at least two systems administrators. Access path monitoring by auditors is mandatory, and defensive measures require logging of all -this includes everyone's! - access transactions. These logs must identify any alterations in access privilege settings and must be kept on servers at an outside service utility for a minimum of five years. Logs should be accessible only by the audit staff and not by systems administrators.
In addition to these measures, the enterprise must use an independent intelligence organization to conduct verifications of security privileges and gather information for analysis of potential security threats. In almost all sabotage cases the evaluation of the human factors in the workplace should always take precedence over investments in technical countermeasures.
Sabotage follows patterns that can be traced if an employer is set up to recognize them. In Snowden's case, it wasn't.