USA Today reports the NSA’s Tailored Access Operation unit had a serious data breach. This is one of the largest incidents at NSA over the last five years.
The story reports, the access controls at the TAO’s locations are “porous”, allowing workers to easily remove information by digitally removing or by simply walking out the front door.
Here are a few quotes from the story:
“Physical security wasn’t much better, at least at one TAO operator’s facility. He told The Daily Beast that there were “no bag checks or anything” as employees and contractors left work for the day—meaning, it was easy smuggle things home. Metal detectors were present, including before Snowden, but “nobody cared what came out,” the second source added. The third source, who visited TAO facilities, said bag checks were random and weak.”
“If you have a thumb drive in your pocket, it’s going to get out,” they said.
Unsurprisingly, workers need to swipe keycards to access certain rooms. But, “in most cases, it’s pretty easy to get into those rooms without swipe access if you just knock and say who you’re trying to see,” the third source added.
“The TAO is the tip of the NSA’s offensive hacking spear, and could have access to much more sensitive information”.
“Defense Department’s inspector general completed in 2016 found that the NSA’s “Secure the Net” project—which aimed to restrict access to its most sensitive data after the Snowden breach—fell short of its stated aims. The NSA did introduce some improvements, but it didn’t effectively reduce the number of user accounts with ‘privileged’ access, which provide more avenues into sensitive data than normal users, nor fully implement technology to oversee these accounts’ activities”
I guess the Top Secret classification doesn’t mean what it used too…
http://www.msn.com/en-us/news/technology/elite-hackers-stealing-nsa-secrets-is-%E2%80%98child%E2%80%99s-play%E2%80%99/ar-AAtiWhO?li=AA4Zoy&ocid=spartandhp
This is both interesting and unsurprising to me. A lot or organizations are so focused on what gets into their building (badges required, metal detectors etc) that they don’t often think of what gets out. I worked in the data center of a major insurance company and a lot of the people I worked with took old pieces and parts home after they were decommissioned even though they were technically supposed to get shredded. It would have been easy to take something with production data on it. The NSA should have way better security for what gets out than a corporation, but I think they’re falling into the same trap the corporations are, trusting their employees too much.
Fred,
Really good posting. I feel like I haven’t read a security article in a while regarding physical controls. It is definitely overlooked and tends to be forgot about. Like Amanda said, this is not surprising, but I did feel this article demonstrated a extreme case of weak physical controls. Aside from employees stealing company property or data, whether, a big one I have heard about is tailgating. Not so much directed to the company’s own employees, but still relates to physical control. This would be where a non-employee is able to easily follow someone into a building and now has the ability to navigate through the building. This can lead to the stealing of data and/or physical assets. Sometimes organizations make it to easy for employees/non-employees to steal due to the lack of physical controls.
Amanda & Elizabeth,
I agree with both of you and thank you for commenting.
It is an extreme case of weak physical controls, and shouldn’t be the case at an organization such as the NSA. I can see how something like this could happen to an organization viewed as a moderate or low level, but NSA (I would assume) would be Top-Secret level.
It is shocking to me that technical controls are not in place to prevent the removal of data on multimedia devices. Maybe someone needs to invent a device that looks like a metal detector you walk through, that instantly corrupts removable media devices. This can reduce digital information from being illegally removed. Or… they can caulk the USB drives…