What Went Wrong?Martin’s motives as of yet are unknown, but his methods undoubtedly evolved over time as technology and policy do not stand still. This means over 20 years, the digital removal of information could have evolved from a floppy to zip disk, CD-RW to USB flash drive, high capacity external portable hard drives, all the way to cloud storage and torrents. Add to that the evolutionary path of endpoints, operating systems and the like you can see that this was a highly complex, highly motivated malicious insider emboldened by continually escaping detection. A breach of this magnitude represents a failure across multiple controls; physical, technical and administrative. There are some truly disturbing aspects of the technical control failure. Just as concerning is the fact that many of the technologies available to mitigate such a risk have been available in the market for 10 years or more. It seems likely they could have reduced the window of time in which Harold Martin was able to steal our most sensitive secrets.
Mitigating the Risk of Insider ThreatTo set the record straight, the Department of Defense banned the use of removable media across all defense agencies in 2008 following widespread damage from a worm attack. Yet, this contractor continued to utilize removable media at the agency without alarm. This enabled Martin Harold to not only download and remove highly classified data, but also utilize networks like Tor to act without detection. Keep in mind, this type of technology is relatively new in the 20 years he conducted data exfiltration. Further, his unchecked utilization of elevated privileges to various data sets seems to have gone unnoticed. Through the deployment of privileged access solutions like PowerBroker and vulnerability management solutions like Retina, these anomalies in workstation configuration, unusual patterns of behavior and repetitive access to sensitive data through elevated privilege use would likely have been revealed. Information technology and security personnel would have been altered to these anomalies and action could have been taken to mitigate the extensive damage of Martin Harold’s actions. Recording of privileged sessions would have enabled forensic investigators to understand exactly what he did in the environment. While the Federal IT environment is certainly complex and deploying tools in these systems can be challenging, this type of breach must be prevented utilizing all of the tools available. It is time for our agencies to take the role of privileges and vulnerability seriously, as mandates like FISMA and frameworks like NIST 800-53 prescribe. Privileged account and session management products, as well as privilege elevation and delegation management products are building blocks in your efforts to prevent and detect breaches. Successful implementation takes you one step closer to compliance and away from the headlines. If your agency is working to prioritize risks in the face of ongoing breaches, download our white paper on how to meet NIST-800-53 requirements or contact us today for a strategy session.
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.