U.S. Customs and Border Protection data leaked – a PAM solution might have saved the day

The Case

On June 11th, 2019 NBC News portal published a story about an information leak at U.S. Customs and Border Protection (CBP). In a nutshell, images of travellers and vehicle plates, presumably collected at points of entry, have been copied to a subcontractor’s network in violation of government policies and without the agency’s authorization. This was a typical data breach by the third party and was serious enough to get members of Congress informed by the CBP. NBC does not state how long it took CBP to discover that their data had been leaked and how they found out about it – we can only assume that someone approached the CBP with the evidence ofa data leak with samples sourced from outside of the CBP network. Hopefully, it was a routine audit they performed which uncovered the incident. Still, it’s far too late to learn about data being transferred out of any government agency even on a weekly basis.

The Problem

Letting external contractors into your network is dangerous enough – unless you adequately prepare your IT infrastructure for it. You have to “give” your data to them and then rely on agreements, written policies and the integrity of their operations for them not to pass the information to the outside. It all boils down to trust, and as you know and NBC News proved it, your trust may be abused. Sensitive information, like financial data, health care records or in this case border crossing records, should be handled with great care and a PAM solution is perfect for this task.

The Solution

So, how could a PAM solution like Fudo have prevented all this? First off, by letting the external contractors know that their sessions are being monitored, efficiency and adherence to security policies are increased. This is why we to disable NLA authentication and instead let users see PAM’s login screen when connecting to servers. This works best with PAM acting as a jump station which requires the user to enter the server’s IP address and not letting them connect directly. With some personalisation added, for example, a nice government agency logo and privacy and security notice in uppercase, there is no way for a contractor to “forget” that they’re being observed and thus “trusted” to do no harm nor violate agreements.

However, let’s suppose that a person has malicious intentions and was paid by “some Darkweb representatives” to retrieve sensitive data from the company they’re working for. Using session pre-defined policies, you can easily spot actions that are performed on the server side – maybe a server name or network drive path is typed in that the contractors aren’t supposed to access or they run “cmd” or “sudo” command on the server on which they’re not supposed to get administrative access to.

A PAM system can help considerably when it comes to making a security officer aware that something unexpected is happening on the servers. Furthermore with the AI module being employed, for example in the upcoming Fudo PAM 4.0 release, even unusual behaviour can be spotted and you’ll get a red light in PAM or in your SIEM system (if you connect the two). For those who don’t kn

ow yet, the AI module will create session’ profiles for a particular user and anything suspicious will bump up the “session warning” score shown in the session list or via an API – IN REAL-TIME!

This switch from “let’s check the logs and find out who did it” to “let PAM watch for breaches” approach is at the core of our company’s mission.

Why not try it out for yourself! We’ll be happy to show you a demo for Fudo PAM guarding your data. Please contact sales@fudosecurity.com.

One of our team members will contact you and set everything up for you.

Read the original NBC News story here:

https://www.nbcnews.com/tech/security/u-s-customs-says-traveler-images-exposed-cyberattack-n1016011

(jrme)