Back in September the Swiss attorney general Michael Lauber and chief prosecutor Carlo Bulletti invited speculation by announcing that an employee of the Swiss intelligence services was involved in ‘a serious matter of economic sabotage’ posing a security threat to Switzerland, and wanted to sell stolen data ‘to foreign countries.’ No other countries were mentioned, and the effect was downplayed. “All the stolen data was retrieved and its transfer to third parties was prevented,” reported Switzerland’s news site, The Local.
Now it emerges that the theft was larger and the potential consequences greater than originally thought. According to Reuters, “Secret information on counter-terrorism shared by foreign governments may have been compromised by a massive data theft by a senior IT technician for the NDB, Switzerland's intelligence service.” Those foreign governments apparently include the US CIA and the UK’s MI6, the Secret Intelligence Services that deals with foreign intelligence – both of whom routinely share intelligence with Switzerland’s NDB.
It seems that the unnamed employee was an IT technician with admin rights to the entire NDB database, and was disgruntled that his input on the operation of IT services was not taken sufficiently seriously. The implication is that he acted more out of pique than in a planned act of espionage – he simply downloaded the data and walked out with it. “Investigators believe the technician downloaded terabytes, running into hundreds of thousands or even millions of printed pages, of classified material from the Swiss intelligence service's servers onto portable hard drives. He then carried them out of government buildings in a backpack,” reports Reuters.
He was caught, not because of the theft, nor even because the agency’s security software detected anything anomalous, but because the UBS Swiss bank became suspicious of attempts to open a new numbered bank account that was traced back to the employee. While the authorities are convinced that no data has been passed to any third party and that all of the stolen data has been recovered, nevertheless the attempted bank account implies an intention to sell the data – and it is impossible to tell how far down that route the employee had proceeded. It would seem that the bank’s security systems were more effective than the intelligence agency’s security.
The incident reinforces one of security’s great concerns: the insider threat. Questions will be asked on why HR staff checks did not detect a member of staff with apparent personality problems (he would apparently not turn up for work after disagreements); why no internal log management/SIEM software did not highlight the download of terabytes of data; and whether behavioral analysis could or should have connected downloads with absence.
“This incident highlights the fact that it’s not just the external threats people should be worried about,” Frank Coggrave, general manager at Guidance Software told Infosecurity; “it’s the internal threat. It’s the people you trust who are the most dangerous.” He draws a parallel with Bradley Manning walking out with the US data ending up on Wikileaks. No amount of security software would have prevented this simply because the employee had authorized access.
But the right security and policies should have detected it far quicker. Tal Be’ery at Imperva suspects inadequate ‘segregation of duties.’ SoD, he suggests, would ensure that “the data owner (in that case the culprit DBA) cannot be the data controller (monitoring access to prevent fraud.) Clearly in this case SoD policy was breached since no one was monitoring the DBA actions.”
Professor John Walker, chair of London chapter of ISACA, thinks that observational behavioral analysis should have come into play. “There have been many high profile cases where the change in the ‘normal’ routine of behavior patterns should have indicated something was wrong – this ranges from a past head of the CIA, through to a Chief Designer at a global automotive supplier where the concerned were operating out of character, yet it went unnoticed.” Body language, he suggests, is another area worth exploring.
A. Singh, member of the London chapter ISACA security advisory group, suggests that, “Simple log analysis – looking for anomalous behavior – would have been able to help in this detection; although that would have depended on them having appropriate use cases before hand.”
Tal Be’ery explained further: “Behavioral analysis would have helped very much in this case as access aimed at massively exfiltrating data has some very different characteristics compared to routine access. Massive exfiltration is nonselective in its target (copies/selects all), it is continuous rather than sporadic, and may occur at an unusual time. Routine access, however, is selective (accesses only specific data), is irregular rather than continuous, and usually occurs during work hours.”
All in all, the Swiss security agency will have some serious questions to answer about its own security – especially since it had to be notified by an outside organization (the UBS bank) that there was a potential problem.