Establishing Digital Trust: Don't Sacrifice Security for Convenience
If you work in information security, the latest WikiLeaks controversy should have you considering how your company deals with securing its data.
Since its creation in 2006, WikiLeaks has been a lightning rod for controversy. The non-profit media company, which serves as a clearinghouse for information leaked by anonymous whistleblowers around the world, has received both high praise and scathing criticism by human rights groups and governments alike. But regardless of how you feel about WikiLeaks' mission, there is at least one lesson security professionals should take away: Your data is only secure as your weakest link.
In April 2010, WikiLeaks released a video of classified US military footage from 2007 that showed a US helicopter in Baghdad firing upon and killing 12 people, including two Reuters employees. The release of the video led to the 2010 arrest of a US Army intelligence analyst, PFC Bradley Manning, who allegedly provided the footage and other itemsincluding 260,000 classified US diplomatic cablesto WikiLeaks. Manning, who was based in the Middle East, allegedly accessed the information from two classified networks, to which he had access, and downloaded it to CD-RWs.
The WikiLeaks site on Sunday published a cache of 220 of the diplomatic documents allegedly leaked by Manning, some of them redacted, and has promised to publish more of the documents in the coming months.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Lost in the political uproar and fallout over the leak of thousands of secret US documents via WikiLeaks is the fact that Private Bradley Manning was somehow able to gain access to the data and then download it onto a CD and USB drive without being detected by Pentagon security," said Kurt Johnson, vice president of strategy and corporate development at Courion, a provider of identity access management and access governance solutions. "This raises several questions, including why Manning had access to the data in the first place, and whether that access was necessary for him to perform his duties at all."
Johnson noted that reports indicate the Pentagon has taken steps to disable drives that would allow users to record and remove data, but a Pentagon spokesman has also said that officials are not yet reviewing who has access to data.
"It is absolutely crucial that access policies are defined, verified and enforced in order to safeguard critical data," Johnson said. "Least privileged access is a common practice whereby administrators give access to employees or users on an as-needed basis so that sensitive data can only be viewed by those to whom it is essential to perform their jobs. Also, identity and access management systems can be synched up with security information and events management (SIEM) software and data loss prevention (DLP) tools in order to monitor who has access to key applications and monitor what is being done with that access."
Hugh Garber, product marketing manager at Ipswitch, a developer of network management, secure file transfer and messaging solutions, agreed.
"USB drives are being called out as the big problem here," Garber said. "Blaming USB drives for data breaches is kind of like blaming white vans for bank robberies. Stop worrying about what they're using and start worrying about who has access to the data. Too many times in too many companies, all employees have access to all data."
Garber said companies need to inventory their data, determine who has access to what, and then ensure that access to data is only given to employees that need it to do their jobs.
"You can set up certain permissions," he said. "Maybe some employees have access to a file, but they're only allowed to read it."
He recommended deploying a secure file transfer server that acts as a central repository for file transfer, which can be used to set permissions for who has access to data and give IT visibility into who is accessing what data and from where.
Garber noted that employees do not need to be malicious to put a company's data at risk. He said that according to Ipswitch research, about 50 percent of employees back up files from a work computer to a personally owned device, often to bring work home with them. But once they've used the files to do what they needed to do, they often forget about them. Those devices can easily be lost or stolen.
"The biggest problem is just the workforce trying to do their jobs," said Michael Maloof, chief technology officer of TriGeo, a firm specializing in SIEM.
Maloof said that while malicious insiders often get the spotlight, it is primarily well-meaning employees attempting to be productive that present the greatest data loss risk.
"There is always a conflict between people who are trying to get their jobs done and security," he said.
To deal with that, he said, companies must have an enforceable policy combined with education.
Maloof agreed with Garber and Johnson that when it comes to securing sensitive data against leaks, the principle of "least privilege" is key.
"Everyone should be doing this today," he said. "If I shouldn't have access to information, I simply shouldn't be able to get to it."
Then there are employees who have a legitimate reason to access data, but who may also be using that data for their own purposes.
To combat such threats, Maloof said a security policy should include triggers, such as employees accessing volumes of data beyond that needed to perform their jobs, or access data from workstations they normally don't use.
Meanwhile, WikiLeaks moved to host its site through the Amazon Elastic Cloud Computing (EC2) service earlier this week following a crippling distributed denial of service (DDoS) attack. But Amazon dropped it on Wednesday. Amazon terminated services for the company following inquiries by the office of Sen. Joseph Lieberman (Ind.-Conn), chairman of the Homeland Security and Governmental Affairs Committee. In a statement, Amazon said that it dropped WikiLeaks due to a violation of its terms of service, not pressure by Lieberman.
In a tweet on Friday, WikiLeaks, which has since moved to Switzerland, said, "Amazon's press release does not accord with the facts on public record. It is one thing to be cowardly. Another to lie about it."
In a statement on Wednesday, Lieberman applauded Amazon for taking action, though he also said he wished Amazon had moved sooner.
"I call on any other company or organization that is hosting WikiLeaks to immediately terminate its relationship with them," Lieberman said. "WikiLeaks illegal, outrageous, and reckless acts have compromised our national security and put lives at risk around the world. No responsible companywhether American or foreignshould assist WikiLeaks in its efforts to disseminate these stolen materials. I will be asking Amazon about the extent of its relationship with WikiLeaks and what it and other Web service providers will do in the future to ensure that their services are not used to distribute stolen, classified information."
Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards and security, among other technologies.
Keep up-to-date on information security news; follow eSecurityPlanet on Twitter @eSecurityP.