User Account

All Pages

Public sector case study

Assignment Help Basic Computer Science
Reference no: EM132400200

Public Sector Case Study

In May 2013, Edward Snowden, a National Security Agency (NSA) contractor, met a journalist and leaked thousands of documents detailing how the U.S. conducts intelligence surveillance across the Internet. In June 2013, the U.S. Department of Justice charged Snowden with espionage. Not long afterward, Snowden left the United States and finally sought refuge in Russia. The Russian government denied any involvement in Snowden's actions but did grant him asylum.

While this story reads like a spy novel, it raises a number of information security policy questions. For this discussion is not important whether Snowden was a traitor, a spy, or a whistleblower. The issue here is the security policies and controls that allowed a part-time NSA contractor to gain unauthorized access to highly sensitive material. This is particularly important because in April 2014, the Department of Defense announced adoption of the NIST standards. Would the Snowden breach have been prevented if the NIST standards had been adopted earlier?

Given the secret nature of the NSA, the full details of how this breach of sensitive data occurred may never come out. However, reports indicate that Snowden worked part time for an American consulting company that did work for the NSA in Hawaii. There he gained access to thousands of documents that detailed how the U.S. government works with telecommunication companies and other governments to capture and analyze traffic over the Internet. The details of the scope and nature of this global surveillance program were not publicly known and considered secret.

It's clear from the reporting that Snowden had excessive access; that is to say, he was granted access beyond the requirements of his job. Additionally, reports indicated that he used other people's usernames and passwords. He obtained these IDs through social engineering. Finally, consider the way in which he accessed and captured the information. Some reports indicate he used inexpensive and widely available software to electronically crawl through the agency's networks. There are also indications that he removed the information on a USB memory stick.

FYI

Social engineering refers to the use of human interactions to gain access. Typically it means using personal relationships to trick an individual into granting access to something you should not have. For example, you might ask to borrow someone's keycard to use the restroom but instead use the keycard to access the data center. Or perhaps you might ask for someone's ID and password to fix his or her computer, and then later use those credentials to access customer information.

If he had used a Web crawler to automate the capturing of thousands of documents, Snowden would have been using software that is widely available over the Internet, and free of charge. Web crawler software simply starts browsing a Web page looking for links and then downloads related content. A Web page then links the Web crawler to another page and the process starts all over again. Thousands of Web pages are quickly scanned in a matter of minutes or hours, depending on the content. More sophisticated Web crawler software looks for specific documents to download. Snowden worked at the NSA for several months, accumulating thousands of documents and reportedly had access to 1.7 million documents in all.

There were clear NIST framework violations. For purposes of this discussion, the focus is on the network and social engineering. NIST publications outline other standards that were violated, such as effective security management and oversight.

The following four NIST framework network policies were clearly violated:

• Sharing of passwords

• Excessive access

• Penetration testing

• Monitoring

It's never a good idea to share passwords. This would be a clear violation of security policy, especially by anyone handling classified data. Additionally, the level of access must be considered a policy violation. Any security framework generally prohibits granting access not related to the individual's job function. It's clear from the volume of material involved in the Snowden affair, and its classified nature, that the access he was granted was excessive for the role he performed.

The NIST framework outlines the guidance on penetration testing. Such testing would have clearly demonstrated the weaknesses of controls that allowed a Web crawler to scan and download thousands of documents. This type of testing and assessment would provide another opportunity to correct the network control deficiencies prior to a breach.

The NIST framework outlines the requirements for effective network monitoring. These requirements require logs to be reviewed in a timely manner. Log reviews are a detective control and essential in identifying potential hackers. Keep in mind Snowden scanned the internal network for months while downloading vast amounts of data. Hackers tend to probe a network for weaknesses prior to a breach. Assume that some of those links the Web crawler attempted to access resulted in an access violation. These violations would have been an indicator of a potential breach in progress. This type of monitoring would have provided another opportunity to correct the network control deficiencies and identify Snowden as an internal hacker.

Finally, consider the lack of controls that allowed Snowden to remove so many documents on a USB memory stick. This unusual activity could have been prevented, or, at a minimum, detected, given the volume of material extracted-especially given that many organizations have in place additional controls to monitor contractor activities.

Some of the specifics of the Snowden breach may never be known. Nonetheless, a security policy framework must be a comprehensive way of looking at information risks and ensuring there are layers of controls to prevent data breaches. This case is typical of a breach occurring over many months, indicating the breakdown of multiple controls. It represents both a lack of effective security policies and lost opportunities to detect a breach over several months.

Reference no: EM132400200

Questions Cloud

How each control will support the associated policy : Clearly indicate how each policy you suggest will help mitigate similar attacks and how each control will support the associated policy
What amounts relative to income taxes the company report : What amounts relative to income taxes does the company report in its: Income statement, balance sheet and statement of cash flows
Social cause might present to your employees : Evaluate any ethical challenges this social cause might present to your employees. Analyze the key strengths, weaknesses, opportunities, and threats (SWOT).
Explain how the firm accounting information system : Explain how the firm's accounting information system (i.e., components and functions) contributed to the fraud and / or embezzlement.
Public sector case study : In May 2013, Edward Snowden, a National Security Agency (NSA) contractor, met a journalist and leaked thousands of documents detailing
What is the most popular example of round robin : Describe what is/are Round Robin Protocols? What is the most popular example of round robin?
Access the administrative-physical and technical controls : You will access the administrative, physical, and technical controls of the particular company then determine which one of these administrative,
Develop risk management framework : If Blue Wood Chocolate and Kilgore Custom Milling are to develop a risk management framework, who should lead the process at each company?
Six slides on processed product diapers : Six slides on processed product Diapers. How is it made?: include items needed for production and steps in the process

Reviews

Write a Review

Basic Computer Science Questions & Answers

  Identifies the cost of computer

identifies the cost of computer components to configure a computer system (including all peripheral devices where needed) for use in one of the following four situations:

  Input devices

Compare how the gestures data is generated and represented for interpretation in each of the following input devices. In your comparison, consider the data formats (radio waves, electrical signal, sound, etc.), device drivers, operating systems suppo..

  Cores on computer systems

Assignment : Cores on Computer Systems:  Differentiate between multiprocessor systems and many-core systems in terms of power efficiency, cost benefit analysis, instructions processing efficiency, and packaging form factors.

  Prepare an annual budget in an excel spreadsheet

Prepare working solutions in Excel that will manage the annual budget

  Write a research paper in relation to a software design

Research paper in relation to a Software Design related topic

  Describe the forest, domain, ou, and trust configuration

Describe the forest, domain, OU, and trust configuration for Bluesky. Include a chart or diagram of the current configuration. Currently Bluesky has a single domain and default OU structure.

  Construct a truth table for the boolean expression

Construct a truth table for the Boolean expressions ABC + A'B'C' ABC + AB'C' + A'B'C' A(BC' + B'C)

  Evaluate the cost of materials

Evaluate the cost of materials

  The marie simulator

Depending on how comfortable you are with using the MARIE simulator after reading

  What is the main advantage of using master pages

What is the main advantage of using master pages. Explain the purpose and advantage of using styles.

  Describe the three fundamental models of distributed systems

Explain the two approaches to packet delivery by the network layer in Distributed Systems. Describe the three fundamental models of Distributed Systems

  Distinguish between caching and buffering

Distinguish between caching and buffering The failure model defines the ways in which failure may occur in order to provide an understanding of the effects of failure. Give one type of failure with a brief description of the failure

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd