CIA cyber weapons were stolen in 2016 in a historic breach due to 'woefully lax security,' according to a story published today on CNN. The article went into more details on how an estimated 34 TerraBytes of data were exposed. Even more shocking than the staggering amount of highly classified information that was stolen in this data breach, is how it might have been done. Spoiler alert: this isn’t as exciting as a spy vs. spy blog but don’t stop reading as it is very important to know what happened.
One of my favorite series of quotes from the CNN report stated that the "CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats." However, they go on to state that over the years, they “often prioritized creativity and collaboration at the expense of security” and as such, “[day]-to-day security practices had become woefully lax."
Think about that for a moment. Here we have one of the most sophisticated security organizations in the world, with the budgets to match, and they were still breached. This raises a series of questions.
As we dig a little deeper into things, we begin to understand how this can happen. The report stated that "[they] failed to recognize... that a person or persons with access to CIA classified information, posed an unacceptable risk to national security," and "did not require user activity monitoring.” Making matters worse, it also stated that "Most of [their] sensitive cyber weapons were not compartmentalized, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely."
So, an organization that is inherently suspicious failed to recognize the internal threat and on top of that, ignored what are considered basic principles of information security.
At this point, you are probably thinking, the CIA is being run pretty poorly but please don’t. This blog is not about bashing as that is not what we in the security industry should be doing. Instead, we need to acknowledge that businesses and organizations are complex, and decisions are never black and white. Our job is to help. The best way to do that is to discuss the issues and talk about solutions.
Let’s look at those questions again.
As a CISO, I see this all the time and to be frank, the two do not have to be inverses of each other. Like anything that is of value, it takes effort to make it work properly. That said, environments today are very complex and oftentimes, the security teams are siloed from the business and development side of things. What this results in is a general lack of understanding of each other and usually breeds fear, uncertainty and doubt on both sides. The security team feels like the business side doesn’t really care or leaves them out. On the flip side, the business side feels like the security teams always say no and hold things up. In actuality, the truth is somewhere in the middle. The culprit, in my experience, is lack of information.
As our environments become more and more complex, we need to cut through the stories, and start working with hard facts (data) in our decision making process. When we do this, the two sides inevitably start to come together and work as a team. Through this, the security teams better understand the business and how decisions are made and the business teams better understand the fundamentals of security. The result, each part of the whole can integrate the others' context into theirs. The security teams shift their perspective to the left, towards the business, and deliver information that is relevant to them. At the same time, the business shifts their perspective right and brings the security teams into decisions as a part of the business. I've personally seen organizations get to this point and results for both the business and security teams were amazing. We have built highly secure software, got it to market faster than our competitors, and marched our way to great success.
When we read about something like the CIA breach, it is easy to jump to simple conclusions but things are often not simple. Truth be told, we probably will never know how this happened exactly, and some of the details are probably taken out of context, but there is a fundamental lesson to be learned here. On a daily basis, organizations of all shapes and sizes deal with vast amounts of data and often in complex heterogeneous environments. The result - being able to implement and maintain some of the basic principles of information security has also become complex.
In addition, the paradigms on how we secure our data are also changing. In the data center world, the network perimeter formed the boundary of our environments. In the cloud, that has shifted to Identities (both human and non-human) and their relationships to the data in our environment. If we really want to focus on what is important (the data), we need to have a highly accurate picture of these specific relationships. We need to understand which identities can access which data, which have already, and what they have done. On the flip side, we need to truly know where all of our data exists in our environment, classify or define it, see who is accessing it, from where, and where is it going? This all needs to be done continuously and in-step with any changes made in the environment.
As we discussed in the first question, enterprise organizations need to integrate these insights into the business. Traditionally, the answers to these questions (in the forms of a lot of alerts) are often sent to the security teams in the form of alerts with the hope someone will look into it. This leads to alert fatigue and people stop paying attention. This model has been broken for a long time and results in a breakdown in the flow of information. When we talk about shifting context, this is where the two sides, security and dev, can move towards the middle while ensuring that the information is shared with the teams that can truly affect change. In the modern model, this could mean sending alerts to a dev team that introduced a code flaw for them to fix it at the source. It could also mean sending risk information to business leaders to help them understand how their organization contributes to the overall risk of the business and where those risks occur. In tandem, the security team is no longer buried under all of the alerts and can be an active participant in the solutions. Through this, both sides come together and work as a team. As an added benefit, each side learns at a contextual level; non-security teams learn how to be more secure and security teams learn how the business truly works.
Overall, it is terrible what happened at the CIA. While it is easy to quickly jump to scorn and blame, the problem is likely more complex. The world is quickly changing, and as such, organizations need to change how they approach information security. They need to unravel the complexity that has been built up in their environments and clearly understand their identity and data relationships. With those valuable insights, they need to shift their context towards each other, with data at the core, and integrate their decision making processes accordingly. Through this, we can achieve highly secure environments which maintain the fundamentals of information security without sacrificing the speed and agility that drives the modern business.
Companies are already struggling with the first two challenges of managing their data stores and securing the data in them. Getting to the state where you can fully understand who/what can access that data, who/what actually doing this and where the data is going, can feel like a pipe dream. In reality, there are solutions out there that can help you achieve this.
Sonrai Security delivers an enterprise identity and data governance platform for AWS, Azure, Google Cloud, and Kubernetes. Our Sonrai Dig platform is built on a sophisticated graph that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.
Identity and data access complexity are exploding in your public cloud. Tens of thousands of pieces of compute, thousands of roles, and a dizzying array of interdependencies and inheritances. First-generation security tools miss this as evidenced by so many breaches. Sonrai Dig, our enterprise identity, and data governance platform, de-risks your cloud by finding these holes, helping you fix them, and preventing those problems from occurring in the first place.