1) Case Study: Another older story, but one that is still quite relevant, is that of Edward Snowden. In May 2013, Edward Snowden, a National Security Agency (NSA) contractor, met a journalist and leaked thousands of documents detailing how the United States conducts intelligence surveillance across the Internet. In June 2013, the U.S. Department of Justice charged Snowden with espionage. Not long afterward, Snowden left the United States and finally sought refuge in Russia. The Russian government denied any involvement in Snowdens actions but did grant him asylum. Although this story reads like a spy novel, it raises a number of information security policy questions. For this discussion, it is not important whether Snowden was a traitor, a spy, or a whistleblower. The issue here is the security policies and controls that allowed a part-time NSA contractor to gain unauthorized access to highly sensitive material. This is particularly important because in April 2014, the Department of Defense announced adoption of the NIST standards. Would the Snowden breach have been prevented if the NIST standards had been adopted earlier? Given the secret nature of the NSA, the full details of how this breach of sensitive data occurred may never come out. However, reports indicate that Snowden worked part time for an American consulting company that did work for the NSA in Hawaii. There he gained access to thousands of documents that detailed how the U.S. government works with telecommunication companies and other governments to capture and analyze traffic over the Internet. The details of the scope and nature of this global surveillance program were not publicly known and were considered secret. Its clear from the reporting that Snowden had excessive access; that is to say, he was granted access beyond the requirements of his job. Additionally, reports indicated that he used other peoples usernames and passwords. He obtained these IDs through social engineering. Finally, consider the way in which he accessed and captured the information. Some reports indicate he used inexpensive and widely available software to electronically crawl through the agencys networks. There are also indications that he removed the information on a USB memory stick. It is noteworthy that there have been two additional data breaches at the NSA since Snowden, both from insiders. Harold Martin III was indicted in 2017 and accused of taking home thousands of pages of classified documents. In March 2019, Mr. Martin pled guilty and was sentenced to 9 years of prison followed by 3 years of probation. Also in 2017, Reality Winner, an NSA contractor, leaked information about an investigation into Russian interference to newspapers. She pled guilty in 2018 and received a 5-year sentence. What these two cases illustrate is that the agency has not made sufficient corrections since the 2013 Edward Snowden case. This illustrates that any organization must take a frank and honest look at security failures. That is the most effective way to learn from those mistakes. Failure to do so can lead to the same security breaches being repeated in the future. There were clear NIST framework violations in the Edward Snowden case. For purposes of this discussion, the focus is on the network and social engineering. NIST publications outline other standards that were violated, such as effective security management and oversight. The following four NIST framework network policies were clearly violated: Sharing of passwords Excessive access Penetration testing Monitoring Its never a good idea to share passwords. This would be a clear violation of security policy, especially by anyone handling classified data. Additionally, the level of access must be considered a policy violation. Any security framework generally prohibits granting access not related to the individuals job function. Its clear from the volume of material involved in the Snowden affair, and its classified nature, that the access he was granted was excessive for the role he performed. The NIST framework also outlines the guidance on penetration testing. Penetration testing, if done by a competent penetration tester, can be an effective way to measure compliance with security policies. This type of testing and assessment would provide another opportunity to correct the network control deficiencies prior to a breach. The NIST framework outlines the requirements for effective network monitoring. These requirements require logs to be reviewed in a timely manner. Log reviews are a detective control and essential in identifying potential hackers. Keep in mind, Snowden scanned the internal network for months while downloading vast amounts of data. Hackers tend to probe a network for weaknesses prior to a breach. Assume that some of those links the web crawler attempted to access resulted in an access violation. These violations would have been an indicator of a potential breach in progress. This type of monitoring would have provided another opportunity to correct the network control deficiencies and identify Snowden as an internal hacker. Finally, consider the lack of controls that allowed Snowden to remove so many documents on a USB memory stick. This unusual activity could have been prevented or, at a minimum, detected, given the volume of material extractedespecially given that many organizations have in place additional controls to monitor contractor activities. Some of the specifics of the Snowden breach may never be known to the public. Nonetheless, a security policy framework must be a comprehensive way of looking at information risks and ensuring there are layers of controls to prevent data breaches. This case is typical of a breach occurring over many months, indicating the breakdown of multiple controls. It represents both a lack of effective security policies and lost opportunities to detect a breach over several months.

2) Case Study: In March 2014, eBay noticed an unexpected database session on its servers. The session was scanning password files. Later, eBay disclosed that users credentials for 145 million users had been compromised. This is a substantial issue for a company whose entire business model is based on e-commerce. According to eBay, the data stolen did not include credit card information. The company discovered the breach by first noticing several anomalies on the corporate network. The investigation discovered that the attackers had used employees passwords to gain initial access to the network. Analysis of the attack indicates attackers may have been in the network for two months or more before a breach was detected. Analysts have speculated that the entire attack may have started with spear phishing campaigns to get employees credentials. There are policies that would have, if implemented and adhered to, either prevented this breach or mitigated it substantially: Two-factor authentication could have prevented this breach. Even if an attacker obtains a users password, two-factor authentication would prevent the attacker from gaining access. More robust monitoring and alerting of network anomalies would have alerted eBay to the issue much sooner. More robust employee education and email policies might have prevented the original spear phishing campaign from being successful. This case illustrates the pressing need for good security policies that are enforced. Certainly, a wide range of standards apply to eBay, including PCI DSS. It is equally clear that these standards were not adhered to.

3) Case Study: A more recent example is from August 2019. A story broke regarding a former U.S. Department of Energy contractor named Gary Peter Simon who was accused of accessing the network two months after his contract expired. Mr. Simon is accused of accessing cloud storage and destroying files, altering files, and altering other accounts. Mr. Simon did plead to one count of intentionally accessing a protected computer without authorization and recklessly causing damage resulting in loss of more than $5,000 during one year. He had accessed the Department of Energys Strategic Petroleum Reserve Office (SPRO). As of this writing, he has not yet been sentenced. The real issue with this story is that proper policies and applying a security framework would have entirely prevented this incident. This incident is an ideal case study of why policies are important and how they must be applied. An off-boarding process to ensure all access has been revoked for exiting employees would have mitigated this situation. Cancelling all access for exiting employees and contractors would have completely prevented this situation. A robust Intrusion Detection/Intrusion Prevention System (IDS/IPS) that detects anomalous login attempts (such as those from people no longer authorized) would have identified this situation earlier. This is a classic case of policies not being implemented properly. Because this was a government office, it was supposed to be applying FISMA, NIST, and related standards. It is clear in this situation that security policies were not followed.

1) Edward Snowden, National Security Agency contractor

i. What charge did the U.S. Department of Justice site Edward Snowden with?

ii. How was Edward Snowden allowed to have access to sensitive documents as a part time contractor for the NSA?

iii. Which standards did the Justice Department deploy after this breach?

iv. What are some of the ways that Edward Snowden was able to access the enormous amount of confidential information?

v. List the four NIST Frameworks that were violated?

vi. Would a clearly stated Username and Password policy have prevented this breach? What if one existed but never enforced?

i. How long did this breach exist?

2) E-Commerce Case Study - eBay

i. List the policies that could have brought attention to the administration of the data being compromised.

ii. How could the compromise be prevented?

3) U.S. Department of Energy

i. What was the accusation that the administration identified?

ii. Which policies needed to be present to prevent this from occurring?