It’s a familiar tale. Boy meets girl. Boy tries to impress girl with secrets from his government job. Boy steals confidential files from his job as a counterintelligence analyst at the Defense Intelligence Agency (DIA) to give to his journalist girlfriend to boost her career. Boy is eventually arrested and charged – but only after over a year of leaks and several news stories detailing information from highly classified reports including information on weapons systems. Unfortunately, this isn’t a story from a late-night TV thriller or spy novel. It’s the real story of what Henry Frese allegedly did from early to mid-2018 until his arrest earlier this month. If you are looking for a good example of malicious insider threats, this is it. An employee using their legitimate authorization to systems to access files in order to pass that information along to a third party for personal gain. It’s a nightmare scenario that can happen to any company or agency without proper controls in place.
A Malicious Insider Caught Red-handed – Well After the Fact
This latest malicious insider threat shows how reactive measures eventually help to detect and plug leaks, but that they do nothing to prevent the leak and subsequent damage from happening in the first place. When the leak involves highly valuable data such as intellectual property, regulated data, or in this case Top Secret reports with national security implications, it is not good enough to react to damage that has already been done. Post-incident tools have their place, especially when a crime has perhaps been committed, but by combining them with proactive data-centric tools both the data leak and the perpetrator can be stopped in their tracks.
Henry Frese and the Issue with Location Based Security
As well as being a good example of malicious insider threats, this incident also shows why traditional approaches to securing sensitive information are fatally flawed to protect against a data breach of this nature. Frese didn’t hack into any systems or steal credentials. He had legitimate authority to log into the report repository. He then proceeded to search for and access files that he was not allowed to access as per the agency’s written regulations. The problem was there a lack of ‘technological enforcement’ in place to stop him from doing so.
This is a common issue that most organizations face. The usual approach to securing sensitive data is to put in a location and restrict access using passwords and access rights. The fundamental problem with this approach is that it’s much more effective to control access to the individual files, not the location. Data can move. Files can be placed in the wrong location. In this case I suspect that the approach was to contain reports of a particular classification or category, e.g. weapons systems, in a single system. At some point there was probably a compromise made between the number of secure locations within the system and the number of different classification or categories. Having a secure folder or collaboration site for every project was likely to result in a permissions administration headache which itself could result in security gaps. The result in this case was Frese having technical access to files that according to the rules of the Agency he should not have.
Data-centric Security to the Nation’s Rescue
Note that I used the term “lack of technological enforcement” for DIA’s written policies. Using data-centric protection is designed to plug that gap. In addition to simple password protected location-based security for sensitive files, an additional layer of access protection and usage rights can be applied. This approach would have prevented Frese from being able to see the files that his role did not require him to see. It’s possible to prevent user access based on multiple attributes of either the file or the user, to build rules that will provide technological enforcement that encompass any nuances in an organization’s written policies.
For example, Frese would not have been able to search for and access files relating to Chinese weapons as per the direction of his girlfriend. Regardless of his access rights to those files based on his permissions, a data-centric solution would have been able to use other attributes such as Frese team membership or the sub-category of the files in question – neither of which would have been possible with location based security.
Stopping Sharing Not Just Preventing Access
With the appropriate data-centric solution the protection for those sensitive reports would not have stopped at just preventing Frese from being able to see the files. It’s also possible to control what users can do in a variety of other ways. Perhaps the scenario at the DIA was that analysts were allowed to see all the reports, but they were only allowed to view them if they had a legitimate reason to do so, e.g. perhaps carrying out some cross-project research. In that case there are still controls that can be put in place to prevent misuse of that data. For research purposes an analyst would only need “Read Only” usage rights as opposed to full edit rights for the reports. This control can prevent someone from copying, printing or emailing the file to prevent malicious use. This level of granular control over what someone can do with a file is only possible with data-centric solutions, independent of the permissions and access rights.
Dissuading Unauthorized Sharing
Even if all those other controls were in place, perhaps Frese was so determined to help advance his girlfriend’s career that he would have still taken the risk of sharing the files. Even if the files were set to “Read Only” and copy/paste and print screen were disable he could still have taken a photograph of the reports on his screen.
Nucleus Cyber’s data-centric solution NC Protect has a unique capability that may have dissuaded him or at least would have made it difficult for his journalist girlfriend to use the reports. Thanks to the dynamic way that our solution encrypts and protects files it’s possible to insert a custom watermark at the time the user accesses the file. Instead using a simple word or phrase such as Top Secret stamped all over the file, NC Protect instead inserts the username and date and time of access as well as any other custom details. This digital thumbprint may have been enough to cause Frese to think twice about his actions or perhaps his girlfriend would have seen this as posing too much risk.
The DOJ spokesperson said that they had caught Frese red-handed. With our dynamic watermark capability, they literally would have done so.
Preventing Malicious Insider Threats
The Frese case is a very good example of, and a warning to all, of the risks of malicious insider threats. It highlights how someone with legitimate access to sensitive data can easily abuse that privilege for personal gain. The specifics of the scenario are not unique to a particular industry. Although this example relates to classified government files and leaks in the press this could easily have been a story of insider trading or intellectual property theft. The warning and the potential damaging outcomes are the same for any organization.
It also highlights that there’s a better way to protect sensitive information – proactive data-centric security. While traditional security tools still serve a purpose, when it comes to insider threats it makes a lot more sense to stop a leak from happening in the first place than to detect and respond to a breach months later.