Mediaboss Marketing

Edward Snowden / Getty Images

BY: Natalie Johnson June 24, 2017 5:00 am

The National Security Agency did not know how manyofficials were authorized to download and transfer top secret data from its servers prior tothe high-profile leaks by former contractor Edward Snowden, according to a recently declassified government report.

The NSA was also unsuccessful in attempts to meaningfully cut the number of officials with "privileged" access to its most sensitive databases, the Department of Defense's inspector general determined in the 2016 investigation. The heavily redacted report was obtained by the New York Times through a Freedom of Information Act lawsuit.

The agency struggled to achieve the mandated reductions because it had no idea how many employees or contractors were designated data transfer agents or privileged access users prior to the leaks.

NSA officials told the inspector general they lost a "manually kept spreadsheet" that tracked the number of privileged users after receiving multiple requests from the inspector general to provide documents identifying the initial number. The lapse made it impossible for the agency to determine its baseline of privileged users from which reductions would be made.

The report said the NSA then "arbitrarily removed" privileged access from users, who were told to reapply for the authorization. While this enabled the agency to determine how many personnel were granted special access, the NSA still had no way of measuring how many privileged users had lost the clearance.

The inspector general said the NSA should have used this new baseline as a "starting point" to reduce privileged users instead of using the number to declare a reduction in those personnel.

In the case of data transfer agents, the NSA's "manually kept list" tracking the number of officials authorized to use removable devices, such as thumb drives, to transfer data to and from the agency's servers was "corrupted" in the months leading up to the Snowden leaks, the report said.

Without a baseline to measure potential reductions, the NSA then mandated data transfer agents to reapply for the authorization. Again, though this allowed the agency to determine how many personnel were given the authority, the NSA still had no way of gauging how many reductions were made, if any.

The threat proved ongoing earlier this month when former contractor Reality Winner was charged with removing classified information from NSA facilities regarding the Russian election hacks and leaking it to the press.

The initiatives to cut the number of people with access to classified data were part of a broader post-Snowden measure, called "Secure the Net," to strengthen protections of its sensitive surveillance and hacking methods.

The report determined that while the NSA made some progress in achieving reform, the agency "did not fully meet the intent of decreasing the risk of insider threats to its operations and the ability of insiders to exfiltrate data."

NSA spokeswoman Vanee Vines acknowledged the report's conclusions in a statement issued to the New York Times last week.

"We welcome the observations and opportunities for improvement offered by the U.S. Defense Department's Inspector General," she said. "NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls."

It is unclear what steps the NSA has taken since the report was finalized in August 2016 to reduce the number of employees and contractors with access to its top-secret databases.

See the rest here:
Prior to Snowden, NSA Had No Clue How Many Were Approved to ... - Washington Free Beacon

NEW YORKThe economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. Thats why Neal Ziring, technical director for the NSAs Capabilities Directorate, wants to flip the financial equation on bad guys.

We need to conduct defenses in a way that kills an adversarys ROI, Ziring said. I want to get it down to the point where a threat actor says, I better choose carefully where I throw this malware first, because Im not going to get a third or fourth try. Today they dont have that concern.

In order to decimate a cybercriminals ROI on developing tools and attack playbooks, Ziring is calling on public agencies, companies and the security community to radically change the way they respond to cyberattacks.

In a keynote address Thursday at the Borderless Cyber conference, he said the cybersecurity community needs to work cooperatively to collectively respond to attacks in the same spirit they share threat intelligence. He argues, doing so will deprive cyber threat actors of the ability to use tools and tradecraft multiple times and starve criminals financially.

The future of cyber defense is having a shared response or coordinated response, Ziring said. We need to break out of todays enterprise mentality of every person for themselves.

The type of framework Ziring describes doesnt exist today, but two standards come close. Those are STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) which both deal with sharing data ahead of an attack. Neither address a key component that Ziring is calling for which is a public-private framework that creates a type of autoimmune system. If one node on the network is attacked, all other connected nodes are warned within seconds to defend against a similar attack.

There is no technological reason why this couldnt work. There are only practical obstacles like the need for interoperable standards that will enable us to do this in todays heterogeneous environments. And thats the bit we are solving right now with STIX and OpenC2, he said.

Still early in development, OpenC2 is a language that would enable the coordination and execution of command and control of defense components between domains and within a domain.

Universal support for that type of framework will take a major shift in industry mindsets. As one conference attendee noted, today breach data is a carefully guarded secret for many companies. Ninety-five percent of the dozens of breaches the attendee said he helped mitigate over the past year were kept private for fear it might hurt share prices and the companies reputation.

Ziring said the industry does not need new regulations to mandate breach transparency. The upside to information sharing is the carrot that he hopes will lure companies, sectors and communities to be part of the sharing framework. He notes there are already several critical infrastructure sectors that are required to report breaches to the DHS.

It would be better if we didnt have to create more regulation. Well have to take a wait and see approach for now, he said.

Currently, the type of framework Ziring describes is extremely rare. Within the financial services sector breach data is shared between members of a FS-ISAC (Financial Services Information Sharing and Analysis Center). When one member is attacked all other members are alerted and can fend off similar attacks before they happen.

Meanwhile, attack surfaces are growing with the rapid expansion of cloud, IoT and third-party services. Ziring said current defenses are not as scaleable as they need to be and cant match the automated nature of cyberattacks.

Using FS-ISAC as a model, Ziring envisions a future where industry-focused communities share visibility into threats. When an attack occurred, top-level community members would analyze the threat and send out counter measures to community members inoculating them within seconds or minutes from similar attacks. Its unreasonable to ask small business to be ready fight off a nation state attack themselves, he said.

To many in attendance, that top-level community member is the government. To that end, Ziring told attendees that NSA and DHS are committed to be a trusted partner in the framework through the development of standards such as OpenC2.

The government has a unique authority in this area. We are doing a lot today within the DHS and FBI. I believe government has a responsibility to share. Culturally, its going to be tough. But we need to do it, he said.

Read more:
NSA Advocates Data Sharing Framework - Threatpost

A recently declassified report revealed the U.S. National Security Agency failed to fully secure its systems since the Edward Snowden leaks in 2013.

The report detailed the findings of the Department of Defense inspector general's 2016 assessment of the NSA's security efforts around privileged user management. The heavily redacted report was declassified after Charlie Savage, a Washington correspondent for The New York Times, filed a Freedom of Information Act lawsuit. The assessment looked at how the NSA handles privileged access management, and, according to the report, the NSA was found wanting.

After Edward Snowden leaked over a million files in 2013, the NSA began an initiative, dubbed Secure the Net (STN), with seven privileged user management goals. The inspector general's assessment found that the NSA met only four out of the seven goals: developing and documenting a plan for a new system administration model; assessing the number of system administrators across the enterprise; implementing two-factor access controls over data centers and machine rooms; and implementing two-factor authentication controls for system administration.

According to the report, dated Aug. 29, 2016, not all of the four privileged user management initiatives were fully met. "[The] NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms in accordance with the initiative requirements and policies, and did not extend two-stage authentication controls to all high-risk users," the report read.

Additionally, the assessment found that three of the seven STN initiatives for strong privileged user management were not accomplished. The NSA was supposed to "fully implement technology to oversee privileged user activities; effectively reduce the number of privileged access users; and effectively reduce the number of authorized data transfer agents."

There were 40 STN initiatives in total, though the assessment focused on the seven related to privileged access management. The conclusion reached in the assessment was, while the NSA was successful in part, it "did not fully address all the specifics of the recommendations."

Learn everything you need to know about privileged access management in the enterprise

Find out how to manage and monitor privileged user accounts

Test your privileged user management knowledge with this quiz

View original post here:
Privileged user management trips up NSA - TechTarget

Submitted by:Whatcom Community College

Whatcom Community College (WCC) has been selected by the National Security Agency (NSA) to lead efforts to improve and expand cybersecurity education nationwide as one of four Centers of Academic Excellence in Cyberdefense (CAE-CD) National Resource Centers. In this role, WCC will function as a super hub, helping to support and guide 10 regional centers. Whatcom will lead the CAE-CD mentor program, guiding university and college administrators and faculty through the rigorous application for the CAE-CD designation. The NSA bestows the designation, which recognizes colleges and universities that meet industry-recognized standards of education and training in the cyberdefense field, with curriculum mapped to the NSAs latest requirements.

The College will receive up to $1 million in federal grant funding, which will significantly expand the number of participating institutions in the United States. As one of four national centers funded to support various aspects of the initiative, WCC was designated as a National Center of Academic Excellence in Information Assurance/Cyber Defense 2-year education (CAE2Y) in 2011 and, again, in 2014. Whatcom was among the first community colleges in the nation to earn the designation.

WCC has years of experience and is a national leader in cybersecurity education. Our CIS and cybersecurity programs are models of excellence, WCC President Kathi Hiyane-Brown said. Were honored to share our program models with other academic institutions to help prepare qualified employees for the cyberdefense workforce, which is vital to our national security.

The grant project will leverage the mentor model program that WCC developed under previous grants. The program will connect candidate institutions with a qualified mentor who will assist the applicant in improving their cybersecurity program and completing the CAE-CD application. This process helps to ensure that the application is of high quality and meets NSA standards prior to submission. Through this process, colleges and universities can save time, effort, resources and frustration, and achieve a meaningful designation that will help attract faculty and students and even spur economic development in their region.

WCC offers a bachelor of applied science (BAS) in IT Networking as well as two-year degrees and certificates in computer information systems and cybersecurity (with opportunities to transfer to regional universities). WCC is also the lead institution for CyberWatch West a National Science Foundation (NSF) regional center for cybersecurity education and for C5 (Catalyzing Computing and Cybersecurity at Community Colleges), also funded by the NSF. More than 110 universities, colleges, high schools and educational organizations belong to the CyberWatch West consortium. For more information about WCCs computer information systems and cybersecurity programs, visit whatcom.edu/cis.

View post:
NSA Names Whatcom as One of Four Centers of Academic Excellence in Cyberdefense National Resource Centers - whatcomtalk.com

One day following the explosive revelations of Edward Snowden that the National Security Agency (NSA) had been engaging in mass surveillance of hundreds of millions of Americans without probable cause, I brought suit against then-President Barack Obama and his intelligence agencies. The case was randomly assigned to the Honorable Richard J. Leon of the U.S. District Court for the District of Columbia, one of the few non-Obama-Clinton appointees left in this tribunal. To accelerate the case I then filed a motion for preliminary injunction, asking Judge Leon to temporarily enjoin the defendants illegal surveillance of the populace, during the time the case would otherwise proceed to discovery and then trial.

After Judge Leon reviewed my pleadings, which required that he take action to adjudicate my motion for preliminary injunction with 21 days, he held a status conference. At that conference, he forcefully instructed the Obama Justice Department lawyers in the Federal Programs Branch that he would move the case along quickly and that they should not seek to delay his ruling by asking for non-meritorious requests for extensions. Labeling the case as one at the pinnacle of national importance, Leon advised the Obama Justice Department lawyers to forget about not working on weekends and evenings, and he then set an accelerated briefing schedule.

Judge Leon made good on his promise and ruled promptly, finding that the mass surveillance by Obama and his NSA was unconstitutional and violative of the Fourth Amendment. He added that this was so illegal as to be almost Orwellian, a reference to the landmark book 1984, by George Orwell, in which he coined the term for a tyrannical government: Big Brother.

The initial preliminary injunction entered on Dec. 16, 2013, was entered again later when I amended the complaint to conform with the edicts of the appellate court, the U.S. Court of Appeals for the District of Columbia Circuit, where the Obama Justice Department went after Leons ruling to try to slow down implementation. This second preliminary injunction, as well as the first, provoked Congress to enact a law that attempted to prevent further illegal and unconstitutional surveillance. It is called the USA FREEDOM Act.

However, now we have learned, as I suspected all along, that Obama and the NSA, with the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI), continued to commit crimes by secretly conducting this illegal surveillance. This was revealed by disclosures obtained by Circa News, with reporters John Solomon and Sara Carter uncovering these continuing crimes.. And, my whistleblower client Dennis Montgomery, a former NSA and CIA contractor during the George W. Bush and Obama White House years, also revealed that this illegal surveillance was a constant by the FBI under the direction of former directors Robert Mueller and then James Comey as Montgomery himself worked with the FBI as well as the other intelligence agencies during these years.

And, this unconstitutional surveillance extended not just to millions of innocent Americans in general, but also other prominent persons such as Donald J. Trump, his family, the chief justice of the Supreme Court, other SCOTUS justices, 156 judges and thousands of others, such as the family of Nevada rancher Cliven Bundy, my client. Anyone who was seen as critical of or a phantom threat to the government, or who had taken action to clean up corruption, such as myself, was put under the looking glass of the so-called Deep State.

The potential for coercion and blackmail under these circumstances was seen to be great. As one example, how does one explain the 12th hour flip of Chief Justice John Roberts, where he voted with leftist justices to rubber-stamp Obamacare, a clearly unconstitutional law? What did the Deep State potentially have on Roberts that got him to jump ship and craft a majority opinion that was a textbook example of rank intellectual judicial dishonesty? This ruling almost destroyed the American economy as well as innocent peoples lives, who were thrown off their health insurance policies or could no longer afford to be covered, as the price of premiums later skyrocketed. This is just one example of the potential consequence of the Big Brother criminal surveillance of the Deep State.

As a result of the new revelations that the illegal spying has continued, despite the enactment of the USA FREEDOM Act, my client Dennis Montgomery and I have brought a new suit, this time adding James Comey along with the FBI and the intelligence agencies as defendants. Comey was included not just because he orchestrated the illegal surveillance during his years as Obamas FBI director, but also because he covered up an investigation caused by Montgomery, in which he was entrusted to supervise. Montgomery, under grant of immunity, had turned over 47 hard drives and over 600 million pages of information, much of which was classified, to Comey. FBI Special Agents Walter Giardina and William Barnett also interviewed my client, under oath, and his testimony was videoed. But despite this having occurred over two years ago, no action by Comeys FBI was taken, and the investigation was apparently buried. The reason? Comey had obviously directed his agents to deep six the investigation as it would show his and former FBI Director Robert Muellers criminal conduct.

Given this obstruction and criminality, I recently filed suit on behalf of Montgomery and myself as our cellphones and computers have been obviously hacked and violated by Comeys FBI and the intelligence agency defendants in the last months, as they knew that my client, with my help, was offering his testimony to the intelligence and judiciary committees on Capitol Hill. But when Congress as usual failed to do its job, perhaps scared that the FBI and intelligence agencies would leak information harmful to senators and representatives, Montgomery and I had to take matters into our own legal hands and filed a new case before Judge Leon.

Friday, I again appeared before this courageous judge for an early status conference, and I will report on this in Freedom Watch publications that can be found at http://www.freedomwatchusa.org.

But for the time being, what can be said is that Comey, Mueller and their FBI, along with the rogue intelligence agencies, again are before the bar of justice. They and the others who have illegally violated our privacy must be held accountable under the rule of law. Indeed, if anyone has obstructed justice, it appears not to be President Trump, but his criminally minded chief accuser Comey and his equally corrupt special counsel friend Robert Mueller. And as a side note, contrary to the Kool-Aid swallowed by some ill-informed commentators in the media and elsewhere in the swamp that infests the nations capital, these are not men of great integrity! Just ask Dennis Montgomery, my co-plaintiff!

Media wishing to interview Larry Klayman, please contact media@wnd.com.

Excerpt from:
Why I sued Comey and the NSA, again! - WND.com