A recent article at forbes.com refers to a OVUM report about the increasing use of cloud IT services in financial services, due to "“improvements in cloud security and a wider variety of applications, investment in cloud, by both the buy side and the sell side...". Cloud-based IT services, both on the infrastructure, platform/development and as-a-service side sounds like a natural step, with the on-demand and flexible nature of cloud IT service provisioning and workload management fitting the cyclic or periodic need of the finance and banking industry very well. Also as most customer interaction with banking and financial services will move to be Internet-facing or by ways of mobile terminals.
There are a range of operational security issues with cloud IT services as well as exposure to Internet denial of service attacks and accounts break-ins for most companies on the Internet. But, as the article notes, there are also the aspect of the NSA listening in or surveilling the cloud service platforms being utilized, following transactions and accounts movements for US based cloud services (and most others probably).
That is the subject for an article or an entire book in itself, but I wanted to touch upon an other aspect of most US IT companies, main telcos and ISPs as well as cloud providers being part of various NSA programs (PRISM, XKEYSCORE etc.), namely the extensive use of private contractors within the NSA, like Edvard Snowden himself, to perform many of the NSA day to day operations for the programs in questions.
According to many public articles (1, 2 and more), in information publicized by the Office of the Director of National Intelligence this year, 1.2 million Americans hold top-secret clearances, and 38% of those clearances are held by private contractors. I.e close to 500.000 contractors have top-secret clearance like Mr. Snowden.
The head of the NSA,Gen. Keith Alexander, has gone on record saying "reporters should be prevented from "selling" National Security Agency documents" (3). But with the NSA not being aware of the document downloading Mr. Snowden had done before he made it public himself, pointing to somewhat lackluster system logging, incident and security revision routines within the NSA, and the reported widespread use of NSA surveillance tools for private endeavours inside the NSA, isn't it likely that over the last years, some of these NSA contractors used NSA tools to spy on and extract information for personal use and financial gain (for instance early access to upcoming quarterly results or upcoming acquisitions and mergers) or sold inside or critical information about one company to a competitor. Or alerted management at company where they were employed about upcoming bids, performance reviews, competitors or management changes?
Social engineering has always been the easiest and cheapest way to get access to confidential information, and that specific engineering part is bound to have happen within the NSA and among some 450.000 private contractors as well.
EJ, 27.10.2013
There are a range of operational security issues with cloud IT services as well as exposure to Internet denial of service attacks and accounts break-ins for most companies on the Internet. But, as the article notes, there are also the aspect of the NSA listening in or surveilling the cloud service platforms being utilized, following transactions and accounts movements for US based cloud services (and most others probably).
That is the subject for an article or an entire book in itself, but I wanted to touch upon an other aspect of most US IT companies, main telcos and ISPs as well as cloud providers being part of various NSA programs (PRISM, XKEYSCORE etc.), namely the extensive use of private contractors within the NSA, like Edvard Snowden himself, to perform many of the NSA day to day operations for the programs in questions.
According to many public articles (1, 2 and more), in information publicized by the Office of the Director of National Intelligence this year, 1.2 million Americans hold top-secret clearances, and 38% of those clearances are held by private contractors. I.e close to 500.000 contractors have top-secret clearance like Mr. Snowden.
The head of the NSA,Gen. Keith Alexander, has gone on record saying "reporters should be prevented from "selling" National Security Agency documents" (3). But with the NSA not being aware of the document downloading Mr. Snowden had done before he made it public himself, pointing to somewhat lackluster system logging, incident and security revision routines within the NSA, and the reported widespread use of NSA surveillance tools for private endeavours inside the NSA, isn't it likely that over the last years, some of these NSA contractors used NSA tools to spy on and extract information for personal use and financial gain (for instance early access to upcoming quarterly results or upcoming acquisitions and mergers) or sold inside or critical information about one company to a competitor. Or alerted management at company where they were employed about upcoming bids, performance reviews, competitors or management changes?
Social engineering has always been the easiest and cheapest way to get access to confidential information, and that specific engineering part is bound to have happen within the NSA and among some 450.000 private contractors as well.
EJ, 27.10.2013
No comments:
Post a Comment