CIA's Ex-CISO on Preventing Leaks

Describes Controls for Systems Administrators

By , June 21, 2013.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
CIA's Ex-CISO on Preventing Leaks
Read Transcript

Robert Bigman, former CISO at the CIA, says many government agencies and other organizations have yet to take adequate steps to prevent rogue systems administrators from accessing sensitive information on systems they manage.

"If you don't have vigorous security oversight, you tend to fall into the trap like a lot of organizations do, that we will not have a problem and everything will work out fine," Bigman says in an interview with Information Security Media Group. He retired last year after 15 years as the chief information security officer at the Central Intelligence Agency.

In the interview, Bigman shies away from discussing specifics about the case of Edward Snowden, the former National Security Agency systems administrator who leaked information regarding two classified intelligence-gathering programs despite his top-secret security clearance [see IT Tools Available to Stop NSA-Type Leaks]. But he offers advice on how organizations can pull in the reins on systems administrators who have wide access to many systems and data.

Too often, Bigman says, organizations focus on pumping up services by increasing the number of systems administrators to assure round-the-clock coverage. Testifying at a House Intelligence Committee hearing on June 18, NSA Director Keith Alexander said the number of systems administrators at the agency has grown to about 1,000, and its leaders are mulling reducing that number to help improve security [see NSA Outlines Steps to Reduce Leaks.]

The growth in systems administrators is a problem other organizations share. "The problem is, most companies, and even government, focus more on ease of use and ease of administration as opposed to security," Bigman says.

In the interview, Bigman:

  • Explains how access privileges for systems administrators differ in Windows and Unix/Linux systems;
  • Outlines tools available to limit systems administrators from accessing information without authorization while not interfering with their assignments; and
  • Discusses how CISOs can persuade their bosses to provide the proper tools and training to assure systems administrators don't inappropriately access information.

Bigman spent nearly 25 years at the CIA, making him at his retirement the government intelligence community's most senior information security officer. During his CIA tenure, he consulted with other intelligence agencies, the National Security Council, presidential commissions and congressional oversight committees. Bigman now runs B2Secure, an IT security consultancy.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Wanted: 800,000 Security Pros

India currently has 22,000 information security professionals, but needs 800,000 by 2020. Can the...

Latest Tweets and Mentions

ARTICLE Wanted: 800,000 Security Pros

India currently has 22,000 information security professionals, but needs 800,000 by 2020. Can the...

The ISMG Network