Here are some tips to helping minimize possible damage on your own network.

1. Make policy, keep policy. In a wonderful dissection, Jason Perlow examines how the military’s Intranet was designed specifically to stop the exact methods Bradley Manning allegedly used to leak the documents in the first place: USB hard drives, rewritable CDs, and mixed web access were all prohibited by both policy and security software and hardware. Unfortunately, while these rules were enforced in the United States, there was a major hole in the system:

So if SIPRNet is secure, and with the NetTop 2 environment it’s impossible to copy data off to a USB flash drive or a DVD from a secure session, how the heck was Manning able to dump that data to WikiLeaks?

Well, the problem is that in this case, the US Army didn’t deploy NetTop 2 for the workstations that Private Manning had access to in Iraq. Instead, he had access to two laptops, with functional DVD writers which were directly connected to the SIPRNet and JWICS, not through secure, isolated virtual desktop sessions.

This resulted in a chink in the armor that was exposed to the wrong type of person …

Oops. Spending all the money in the world on top-of-the-line solutions won’t mean the security implements itself, and because even legitimate users often push back, hard, on security policies they view as onerous, it’s an ongoing battle. As the latest leaks show, however, it’s not one that can be ignored in favor of expediency.

2. Principal of least privilege and proper classification. While there have been a few major headlines based on the content of the leaked reports, the vast majority of the news has been about the scope of the leak: Hundreds and hundreds of thousands of pages, at varying levels of confidentiality and secrecy. While there are a lot of benefits to making information easy to access,  risk analysis is essential. Should such a large number of people have been giving access to such a massive database? Were risk scenarios ever played out? Many, if not most, of the documents would have had little conceivable use to Manning’s day-to-day operations, but these sensitive documents (now causing headaches around the world) were available to potentially millions of people (Note: I have doubts about that figure, but it appears the real number was still large). If WikiLeaks hadn’t dumped the data, someone else probably would have – or already has, quite possibly into the hands of even unfriendlier parties.

Users should be given all the access they need to do their jobs – but no more. If they need more, they can ask and be given temporary access, but that extra barrier of oversight could have nipped much of this leak in the bud. Another technique would have to more finely classified and doled out access to the documents. Many are not sensitive at all, but mixing them all in with a roughly-grained access control mechanism blurs control policies and makes it easier to conceal serious breaches amid routine usage.

3. Take into account the consumerization of IT. The military has typically been at the forefront of understanding and blocking consumerized IT risks, such as USB drives, Furbies and more. But in this case, those bans and policies still weren’t enough, as Manning allegedly faked listening to Lady GaGa as a pretext for his uploading. Beware Google Guerillas and all others who take IT into their own hands: They are, intentionally or not, one of the greatest points of data leakage, even as they try and boost their own productivity. The best approach here is often a mix of education, policies to discourage or prevent dangerous consumerization, and an understanding of where risks can be mitigated while making jobs easier for everyone. Pure blocking often doesn’t work, but a compromise, while still protecting your secure systems from threats, can go a long way.

So now that you’ve read my advice, how would you have prevented WikiLeaks’ latest disclosures from happening? And more importantly, what are you doing to stop the next leak from happening right on your own network?

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

5. Once in awhile, shake things up. Don’t always have the same employees doing the same things. Theft often comes to light when a person stops working in his or her usual position for a few weeks and doesn’t have the opportunity to cover up any improprieties. Have a manager fill in for employees who are out sick or on vacation. Switch crews around periodically. Move managers between divisions. Enforcing mandatory vacations can be one the best tools for catching crooks.

(emphasis mine)

Mandatory vacations to catch crooks? Sounds like a win-win to me. It’s also not a bad way to make sure your disaster recovery (DR) plan has position redundancy: If Steve is the only Cisco sensei you have, you need to make sure someone else gets prepared to hold down the fort if, say, a nasty case of Swine Flu hits unexpectedly.

Any other cybercrime prevention strategies you’ve seen? Let me know in the comments, or directly at Michael@ITKnowledgeExchange.com.