What can I learn from the recent NSA breach to better protect my organization?

You have probably heard by now that NSA Contractor Reality Leigh Winner used her access to leak classified information to The Intercept. The news media is covering the political angles here but there’s an excellent story on Operational and Information Security (OPSec and InfoSec respectively) that’s being largely ignored and some valuable lessons to learn when it comes to protecting sensitive material.

What happened?
A former Air Force linguist named Reality Leigh Winner had a contract position with the NSA working at Fort Gordon, GA. She used this position to access and remove a classified intelligence report from the facility and leak it to The Intercept. She was quickly identified and arrested.

OpSec fails on Reality Winner’s part.
There are several here but, to avoid aiding and abetting future traitors, we’ll just gloss over three obvious ones that made identifying her quick and easy. First, she used her [work] account on her [work] computer to print the document that she would later forward to The Interceptor. Second, she printed the document on her work printer. Third, she had communicated with The Interceptor via email from her work computer prior to the leak.

OpSec wins on the U.S. Government’s side (here’s where you *really* want to pay attention).

There’s a lot here that the government did right that we would do well to mimic in the private sector.

  • They knew what they had. The printer that was used to print the document was inventoried so, with the watermark added by the device, it was easy to determine a) that it was a local asset and b) where it was.
  • They knew the capabilites of their equipment. Tprinter that was used to print the document added a watermark to printed documents that included information including the devices serial and a date / timestamp.
  • They had logs showing who was logged on when and who used the printer. This is arguably the critical piece here. Once they were able to confirm exactly what printer was used, they were able to review logs to determine what device sent the document to be printed and who was logged onto that device at the time.

Lessons we can learn.

  • Do you have an inventory of what’s on your network? Being able to identify the printer used as one of their own was key in quickly identifying the serial number in the watermark as one of their own.
  • Have you *confirmed* that what you *believe* is on your network matches what *is* on your network? Simply having a list of what *should* be on your network is one thing but verifying that that’s all that’s on your network is equally important. A vulnerability assessment can be a way to not only verify your inventory (has someone added their own wireless access point to avoid those pesky access controls or perhaps an attacker has a dropbox collecting data) but also test for vulnerabilities in the devices that are legitimately there.
  • Do you have access control in place to limit who / what has access to potentially sensitive material? Access to the network was controlled using (at least) username and password, making it easy to determine who was logged into the device that sent the document to the printer. If all of the users used a shared logon (or no logon at all), this would have been much more difficult.
  • Do you have logging enabled? Most commercial and enterprise grade devices (and now even many residential devices) support some level of logging, giving the administrators an opportunity to see when events occured in the past (in this case, that Reality Winner was the account that was logged onto the device that sent the document to the printer).
  • Do you have an incident response plan in place to respond to potential violations? In most states, auto insurance is required to drive on public roads. Most auto insurance companies provide cards with pertinent information about their insurance (that they have it, who they have it with, etc.) as well as what to do in the event of an accident (do not leave the scene, call 911, call the insurance company, etc.), effectively an incident response plan if you have an accident.

Misc / Erratta

Leave a Reply