Recently, there was news here and here that a disgruntled technician of the Swiss spy agency NDB (Nachrichtendienst des Bundes) had stolen terabytes of counter-terrorism information shared between the NDB, the CIA, and MI6 (the UK spy agency). The person has been temporary arrested. It is still unclear whether he has already sold some of that information or not.
This case, together with many others like the theft of data from Swiss banks, which then is sold to German tax offices, again highlights that the biggest security risk for most organizations comes from internals. There is no doubt that the number of external attacks is increasing. There is no doubt about a massive risk for critical infrastructures. There is no doubt that also manufacturing and, in general, SCADA devices are at far higher risk than before.
However, there are two important aspects to consider:
- Many internals have privileged access, frequently with a lack of control. They potentially can steal large amounts of data and cause massive harm.
- Many of the external attacks are in fact hybrid attacks, involving internals.
For organizations, this means that they should not focus only on external attacks. The concept of perimeter security is an illusion anyway. There is no such thing as “the perimeter around the organization” anymore. What organizations have to do is to move forward to protect information, regardless from where it is accessed, where it resides, which device is used, and whether it is accessed from internals or externals. Point solutions which claim to solve this issue won’t help without the bigger picture in mind. They just increase the risk of bad investments.
However, there are some things you have to do: Access Governance and Intelligence are one of these things. Privilege Management is another one. However, Privilege Management should be well-integrated with Identity Provisioning and Access Governance/Intelligence instead of being a point solution. The most important thing to do now is to understand the big picture of information security. That’s what you should put on top of your agenda for 2013.
To learn how to best establish Information Stewardship as a principle, you should have a look at our new report “From Data Leakage Prevention (DLP) to Information Stewardship”, #70587, which has been written by my colleagues Mike Small and Dave Kearns.