I have always tried to follow that old saying, "
Learn from other people's mistakes, you don't have time to make all of them yourself". Over the past year, the security and business world has had a wealth of opportunity to learn from the many data breach incidents that have impacted multiple organizations. While most of the reports have been vague with attack vector information and root causes, there are lessons to be learned around prevention, effective detection and monitoring, and efficient incident response.
Here is a recent example:
As reported by
Homeland Security Newswire, "
A yearlong investigation by the DHS Inspector General has revealed multiple instances of insider hacking at U.S. Citizenship and Immigration Services (USCIS); the inspector general found that employees had accessed management-level email and other confidential files."
"
According to the report, employees and supervisors abused logon privileges, gained unauthorized access, and even allegedly altered audit logs to delete any record of their activities. The inspector general’s investigation focused on seventeen individuals in particular, all of who were information technology specialists.
Investigators also found “hackware” on several computer drives – software that allows users to intercept sensitive information passing through the agency’s network."
"
The inspector general warned that USCIS could be putting itself at greater risk from insider threats as a result of the poorly planned $2.4 billion project to automate immigration paperwork. USCIS Transformation is designed to be an online system for the agency’s immigration records that will improve fraud detection, but the inspector general said the program is missing controls to prevent internal hacking."
What can be learned from this incident as reported? First thing, as security professionals, we need to
fully understand the main purpose and mission of the business that we work for and protect it. In this case, the "U.S. Citizenship and Immigration Services (USCIS) is the government agency that oversees lawful immigration to the United States."
The USCIS Mission Statement is:
"
USCIS will secure America’s promise as a nation of immigrants by providing accurate and useful information to our customers, granting immigration and citizenship benefits, promoting an awareness and understanding of citizenship, and ensuring the integrity of our immigration system."
Hold on! Does this mission statement map to any of the 3 core tenants of security: Confidentiality, Integrity, Availability? Can you ascertain the main reason USCIS is in business? Absolutely, yet USCIS failed to meet the objectives of it's own mission statement!
Immigration and it's policies have continued to be one of the top two political topics in the US. Identity theft continues to be the prime motive for the majority of data breaches. So, why did a $2.4 billion project to automate immigration paperwork fail to address internal fraud when it has been proven that over half of all IT fraud and incidents are the result of "
regular workers, privileged employees usually are the ones to target the company's most sensitive data."
I am going to take a guess that immigration records would be considered "sensitive data" for USCIS. This leads to our second lesson learned: do you have a data classification process in your organization? Do you know what systems process, store, and/or transmit each type of data within your organization? Do you know
who has access to each type of data,
where is the data being accessed from,
when is the data being access, and
what is being done to your data?
Collecting logs pertaining to network, system, application and database activities and actions is imperative to the success of your security program. According to the recent Verizon Data Breach report, 90 percent of the time, companies had logs available from the time of the incident, but only managed to
discover breaches in five percent of cases. Technology exists to collect, correlate, and mine logs for anomalies which may indicate an internal or external breach. These types of technologies should be coupled to your data classification and system inventory. Any system, application, and database processing, storing, and/or transmitting your sensitive data should have auditing and logging enabled and sending it's logs to a centralized
Security Information and Event Manager (SIEM) or log server.
The last lesson to be learned: access control management and auditing. Periodic audits, or the more positive saying "assurance activities", should be performed against all users, systems, and processes that pertain to your organization's sensitive data.
While we may not know or understand the overall root causes of the security failures with the new USCIS immigration system, security professionals around the world, in any organization, can use this incident report and build business cases for implementing new or enhanced policies, processes and activities within their organizations. Many organizations are "resource challenged" and prioritizing where we spend our limited resources is important. Data classification can help focus and prioritize where we spend our staff time and our budgets, and assist in building a strong strategy in protecting our organizations most sensitive assets.
