Edward Snowden speaks during an interview in Hong Kong. Snowden, a 29-year-old former technical assistant for the CIA, revealed details of top-secret surveillance conducted by the United States' National Security Agency regarding telecom data. (The Guardian / Getty Images)
Edward Snowden’s ability to extract sensitive data from the National Security Agency, working as a low-level contract consultant, comes as no surprise to the security community.
Security experts say Snowden, a Booz Allen Hamilton network analyst based in Hawaii, had the technical savvy to take full advantage of two major security challenges all organizations face: managing privileged accounts and keeping PCs, databases and applications updated with the lastest security patches.
While details of how he did it aren’t yet clear, Snowden’s escapades highlight a complex challenge all large organizations face in securing sprawling networks increasingly reliant on Internet cloud connections and use of mobile devices.
“Digital assets are all plugged into an amazingly complex infrastructure,” says Mike Lloyd, chief technology officer at network security firm Red Seal Networks. “Even diligent defenders struggle to keep up with all the latest weaknesses, and the dizzying interactions between interdependent systems and layers. We cannot defend what we cannot understand.”
Snowden claims to have a long history of working as an information technology specialist, including stints as a systems engineer, systems administrator, a senior adviser for the CIA and a telecommunications systems information officer.
As Snowden told The Guardian in a videotaped interview: “When you’re in positions of privileged access, like a systems administrator, for these sort of intelligence community agencies, you’re exposed to a lot more information on a broader scale than the average employee. … Anybody in the positions of access with the technical capabilities that I had could, you know, suck out secrets.”
“I’m no different from anybody else,” he said. “I don’t have special skills.”
Snowden would have been well-aware of so-called privileged accounts, the logons that give administrative access to any device with a microprocessor, including PCs, servers, databases and copiers.
By identifying and accessing privileged accounts, an unscrupulous insider can easily roam far and wide inside an organization’s network. Such accounts function, in effect, as master keys to the deepest, most sensitive parts of an organization’s digital assets.
A recent survey by Cyber-Ark Software found that 86 percent of large enterprise organizations either do not know or underestimate the number of privileged accounts incorporated into their networks. Most have three or four times as many privileges accounts as actual employees.
Snowden claimed that he could wiretap anyone’s phone and had access to information showing wide-ranging “abuses” by the agency. He publicly released PowerPoint slides depicting PRISM, a secret NSA program for data mining information on individuals’ online behavior contributed by Google, Microsoft, Facebook, Apple and PalTalk.
He also claimed to possess the “full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world, the locations of every station we have, what their missions are and so forth.”
Snowden claimed to have the ability to “shut down the surveillance system in an afternoon. But that’s not my intention.”
Agency investigators now should be able to trace Snowden’s Internet activities and determine the true extent of his infiltration of sensitive material, says Wade Williamson, senior security analyst at firewall company Palo Alto Networks.
It’s a big leap from stealing classified PowerPoint slides to wiretapping phones and accessing dossiers for spies and other agency personnel. And the NSA presumably segmented access to very sensitive data, Williamson says.
“I have access to lots and lots of confidential documents here at my company, but I’m not allowed to change how the network runs,” Williamson says. “He (Snowden) may have had access to PowerPoint slides, but not necessarily have control of all those other systems.
“What we don’t know is how broad that leak really was,” he added. “From a national security point of view, that’s where I would want to go back and take a hard look at the veracity of his statements.”
Another way Snowden could have accessed material is to take advantage of the agency’s process for installing security patches.
Corporations and big agencies continue to struggle with installing patches for computer operating systems and applications, which are issued constantly. The ideal — rarely met in corporate settings — is to install all critical security patches within 48 hours, says Wolfgang Kandek, chief technology officer at patch management firm Qualys.
A savvy insider would be familiar with the lags and could move to “gain administrative privileges on an unpatched machine and then begin to look around the network to see what else you can find,” Kandek says.
Udi Mokady, CEO of Cyber-Ark, which supplies technology to manage privileged accounts, says he was not surprised that a contracted analyst working from Hawaii was able to take advantage of known network weaknesses.
A similar incident made headlines in Europe last December, when a senior IT employee of Switzerland’s state intelligence service reportedly pilfered data shared with the Swiss from the CIA and the U.K.’s Secret Intelligence Agency, MI6.
The Swiss intelligence service, NDB, has not named the employee, who reportedly had administrator-level rights to large stores of classified data.
“It’s a dirty secret in IT that you can have thousands of people in the IT layer with the ability to survey all of your data,” Mokady says. Based on what Snowden said in his video interview, “it makes full sense that he abused his administrative rights,” Mokady says.
The NSA should have done a more thorough job screening Snowden before giving him network access and had more effective systems in place to monitor his network activities, says Joelle Scott, director of business intelligence at Corporate Resolutions, a consultancy that does security checks and investigates corporate crime.
“What’s most shocking is that there was a lack of proper internal controls,” Scott says. “There is no reason why this should have happened to the NSA.”
Byron Acohido and Peter Eisler report for USA Today.