Last night I had the pleasure to attend a panel hosted by the EC Council on insider threats. Panelists included the CISO from San Francisco, the VP of Systems from Macy’s, and most interestingly, Eric Snowden’s former boss at Booz Allen Hamilton. All three were covering various aspects of the STRIDE model. For example, the crisis that SF ran into about 8 years back, where a single employee held the city network hostage by collecting router passwords, was a combination of disclosure and elevation. It took the mayor, at the time, to diffuse the situation.
The NSA suffered the same, with Snowden, in the first week of his new assignment in Hawaii, requesting passwords from colleagues and spending off hours on-site. More damaging, it is rumored but not confirmed that his credentials from his former IT role were not revoked. This, married up with his new access to higher levels of classification, created an opportunity. And it is never a single issue. His CIA HR records, if shared with the NSA, which they were not at the time, would have raised additional flags, and at the time, employees were not subject to daily exit searches, providing him with the opportunity to exit with his USB dongles.
Left to Right -
Steven Bay, former boss of Eric Snowden
Joe Voje, CISO, City of San Francisco
Brian Phillips, VP, Macy’s Systems and Technology
And, Macy’s was the first to admit that their procedures in place to address insider capture of PCI data were not up to snuff. They are now, and just recently the company has taken a very aggressive approach on limiting data access as part of their announced store closures, since there is an interim period where employees have been notified but are still employed.
Net-net, the last decade has been a learning experience, across both commercial and government, but with increased focus, awareness, and sharing of best practices, we’re making progress.