How has whistleblower Edward Snowden’s exposés affected the ways organisations deal with internal and external security threats?
Edward Snowden’s revelations about mass internet surveillance conducted by the US National Security Agency (NSA) and the UK’s GCHQ has caused consternation around the world, particularly in Europe.
While the revelations have generated much debate and given security suppliers a golden opportunity to say how they could have stopped the CIA contractor in his tracks, one question remains for security professionals.
Regardless of motives and objectives, how should Snowden’s revelations influence businesses’ information security strategies?
While it is difficult to get a clear-cut, unqualified answer to this, most information security professionals feel Snowden did not really uncover anything new, and some are unequivocal in their response. "Organisations should not build their strategy around stopping the NSA or GCHQ monitoring: this is a very negative, reactive and ultimately pointless exercise," says Adrian Davis, principal research analyst at the Information Security Forum (ISF).
Read more responses to Edward Snowden's state surveillance revelations
"At the ISF, we state that an organisation’s information security strategy should support the business strategy and allow the organisation to conduct and grow its business in a secure and robust manner, by protecting the organisation’s assets – including information – against a range of threats."
Encryption, identity and access
An important part of the strategy, he says, should be to create and implement processes to manage contractors; control access rights and stop accrual of such rights by employees and contractors; and to monitor and review critical system activity on a regular basis.
“These were some of the flaws that allowed the leaks to occur,” says Davis.
But, like many others in the security industry, he feels the revelations that certain technologies, especially encryption, have back doors should come as no surprise. "The key here is to determine whether the back doors pose an exploitable vulnerability – and if the organisation has deployed or can deploy measures to mitigate the vulnerability," says Davis."This brings us to risk assessment, which should inform the choice about what software to use, decide whether to use open source software, or choose another control to apply."
In the wake of the Snowden revelations, the open source community has suggested that having software open to the scrutiny of all will eliminate back doors for spy agencies. "This seems counterintuitive," says Robert Newby, analyst and managing partner at KuppingerCole UK. "But, simply put, if everyone can see it, it tends to keep people honest – and is that not what Snowden was trying to do in the first place?"
The shortcomings of open source software
But others warn open source may not be a panacea. "In looking to increasing their use of open source software – believing such software will be free of any back doors and thus more ‘trustable’ – organisations need to recognise they will need to increase their in-house open source skill sets to use and support these products effectively," says Peter Wenham, a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management. "The two flags that I raise with respect to open source is that the code itself must be sourced from a known, reputable source and that code integrity checks must be performed before use; and the fact that, in the early days of open source encryption, there were security agency variants – from different countries – of the main code and these were generally undetectable from the real code, fully functional and interoperable but a lot easier to break."
Adrian Davis adds: "These products may not be mature or robust enough for enterprise use, and their development might exclude flaws in implementing complex algorithms."
Risk management and policy
According to IT certification and security consultancy (ISC)2, it all comes down to following best practice. “Fundamentally, businesses should be deploying the best possible security measures as a matter of routine,” says John Colley, European managing director of (ISC)2.
"Take encryption, for instance. While companies should be encrypting their data, there are indications the NSA has circumvented encryption to access data secured by either secure socket layer (SSL) or virtual private network (VPN). But this is no reason not to encrypt data."
Colley says the impact of the Snowden revelations on businesses’ information security strategies will depend on what organisations believe to be their commercial sensitivities and risks relating to intellectual property; what level of security investments they want to make; and for what return. He says that, in line with best practice guidelines, companies need to determine their appetite for risk and the corresponding level of investment.
"Perhaps the simplest analogy is securing a building. One can do the minimum, by ensuring all entry points are locked; go a step further to install better quality locks, shatter-proof glass windows and an alarm system; or make major structural changes to secure the building. At some point, the return on investment will diminish, making the additional investment irrational," says Colley.
While emphasising the importance of best practice, he recognises that secure software has a
major role to play in information security. But again, best practice also has a role. "Due
diligence on the part of information security professionals, when procuring products, is one way of
ensuring security suppliers deliver effective solutions," he says.
"As experts in the field, they are well within their rights to question and even identify the areas suppliers should focus on, to cover all the bases of security. There are many aspects to security and no one measure or approach can ensure it."
Snowden’s disclosures bring business benefits
While it remains unclear whether Snowden’s exposés will exert any real influence on future information security strategies, his actions have already had a positive effect for some information security professionals.
First, the media coverage of Snowden’s leaks has raised awareness and presented a platform for discussion. "It has provided an opportunity for information security professionals to engage with their organisations about the implications of data leaks and how to do proper risk assessments," says Rob Stroud, who is set to take over the role of international president of IT professional association Isaca in June this year.
Second, many companies have been prompted to take a long, hard look at both their purchasing and operational policies, and undertake changes as they see fit, says Peter Wenham.
And third, Snowden’s actions have highlighted the common business vulnerability of insider threat: "Challenges around control of users, auditing, behaviour tracking, data egress and administration privileges are real problems for businesses," says Piers Wilson, director of the Institute of Information Security Professionals (IISP).
Balancing internal and external threats
"Even the most secure and savvy business is exposed to these types of threat – as the NSA has shown – underlining the need to think carefully about data storage locations, interfaces with trading partners, flows (especially international ones) and even the ownership and structure of corporations."
This is underlined by findings from the Ponemon Institute that show 78% of organisations have experienced a data breach due to negligent or malicious employees, says Mike Gillespie, director of cyber research and security at the Security Institute.
He says addressing the insider threat will be far more fruitful than worrying about back-door access by intelligence agencies, in planning future information security strategies. "Many software producers such as Cisco have already stated that security agencies can penetrate their commercial software, so any attempt to keep them out would be an exercise in futility," says Gillespie.
Businesses that genuinely feel they are under threat by outside government agencies need high-end security, not general commercially available software, he says. But, in budget-tightened times, businesses will get a much better result by spending a fraction of the cost of high-end systems on some decent security training for staff, he concludes
This was first published in February 2014