CASE STUDY: "Contractor Arrested"

CASE STUDY: "Contractor Arrested"

BRIEFING

In May 2013, Edward Snowden fled the United States for Hong Kong.  In his possession were some of the most highly classified NSA documents ever to exist.  These documents provided technical details of some of the NSA's most advanced mass surveillance programs and hacking tools.  Included in Snowden’s trove of stolen data were lists of NSA targets.  The loss of this data exposed heretofore unknown NSA cyber-espionage units, operations, and facilities.  

On August 27, 2016, the FBI raided the home of Howard T. Martin, III, an employee of the firm Booz, Allen, Hamilton (“Booz Allen”).  The firm is a major “management consulting” and private intelligence contractor to the U.S. intelligence community.  Booz Allen earned $5.5 billion in revenue in 2014.  The arrest of Martin marked the second time that a Booz Allen employee had been accused of stealing documents, files, and even source code, from the National Security Agency (NSA).  The New York Times reports that Martin,

“...stole and disclosed highly classified computer code developed by the agency ...”  

The other employee was Edward Snowden the fugitive hacker now hiding in Russia.  Reports indicate that Martin began steeling information BEFORE Snowden fled with the enormous trove of documents he subsequently leaked to the public.  When the FBI raided the home of Martin they

“discovered thousands of pages of documents and dozens of computers or other electronic devices at his home and in his car, a large amount of it classified. “

Additionally,

“digital media [found by the FBI] contained “many terabytes of information,...”

The New York Times goes on to report,

“Mr. Martin is suspected of taking the highly classified computer code developed by the agency to break into computer systems of adversaries like Russia, China, Iran and North Korea, some of it outdated.“

In December 2017, the U.S. Department of Justice announced that Nghia Hoang Pho, a 67 year-old, naturalized citizen from Vietnam, was charged with

“willful retention of national defense information. “  

Pho was part of the NSA’s highly classified hacking group known as Tailored Access Operations (TAO).  Pho’s mishandling of  information classified as

“Top Secret and Sensitive Compartmented Information”

WENT UNNOTICED FOR SIX(6) YEAR.  As Wired reports,

“Pho brought classified data and paper documents to his home between 2010 and 2015. “  

In June 2017, Air Force veteran Reality Winner was arrested.  Winner was employed with defense and intelligence contractor Pluribus International Corporation.  During her arrest,  Winner

“admitted intentionally identifying and printing the classified intelligence reporting from her office space, retaining it, and mailing it ...“  

The recipient of this highly classified purloined data was journalist Glen Greenwald of The Intercept.  It was only their publication of the data that exposed Winner’s identity.  

ANALYSIS

In each of the aforementioned cases, data loss prevention (DLP) measures were not followed.  As is so often the case, the insider threat is overlooked.  Technology allows for vendors, service providers, suppliers, and other value chain participants to be closely woven into the fabric of enterprise operations.  This intimate level of interoperability delivers obvious value and economy to all participants. The fusion also comes with additional risk as a data breach in one segment can send a shockwave through the entire value chain.

 

SUMMARY

Could this data loss been prevented?  Yes.  An comprehensive enterprise defense plan must include a layer comprised consisting of an Intrusion Detection System (IDS) or Unified Threat Management (UTM).  This system monitors hosts and the network for any Indication of Compromise (IoC).  The placement of a removal storage device is one such indication.   A tuned threat detection system would generate an immediate alert based on the aforementioned IoC.  Security, network, and management personnel would then take action on this alert based on established policy. 

 

CONCLUSION

Vigilox Security Operations Center services and solutions combines leading edge Unified Threat Management with experienced Security Analysis.   Our SOC solution seeks to provide business-builders and decision-makers with real-time visibility of host-based and network-based activities.

Tags