WikiLeaks’ data dumps have been called “unprecedented” a number of times in the past few weeks and months, as hundreds of thousands of pages of once internal documents have found their way to the web. Unfortunately, data leakage is nothing new, and has cost millions if not billions over the years in stolen identities, lost revenue and fines. What is new is how the data leakage has been disseminated: Not over shadowy back channels or black markets, but out in the open in the public eye. WikiLeaks now seems poised to give the same treatment to a private company, but even if they weren’t, someone else will or already is using similar attack vectors at major companies around the world. The only difference is that in the WikiLeaks case, the public is made well aware of it after the fact.
Here are some tips to helping minimize possible damage on your own network.
1. Make policy, keep policy. In a wonderful dissection, Jason Perlow examines how the military’s Intranet was designed specifically to stop the exact methods Bradley Manning allegedly used to leak the documents in the first place: USB hard drives, rewritable CDs, and mixed web access were all prohibited by both policy and security software and hardware. Unfortunately, while these rules were enforced in the United States, there was a major hole in the system:
So if SIPRNet is secure, and with the NetTop 2 environment it’s impossible to copy data off to a USB flash drive or a DVD from a secure session, how the heck was Manning able to dump that data to WikiLeaks?
Well, the problem is that in this case, the US Army didn’t deploy NetTop 2 for the workstations that Private Manning had access to in Iraq. Instead, he had access to two laptops, with functional DVD writers which were directly connected to the SIPRNet and JWICS, not through secure, isolated virtual desktop sessions.
This resulted in a chink in the armor that was exposed to the wrong type of person …
Oops. Spending all the money in the world on top-of-the-line solutions won’t mean the security implements itself, and because even legitimate users often push back, hard, on security policies they view as onerous, it’s an ongoing battle. As the latest leaks show, however, it’s not one that can be ignored in favor of expediency.
2. Principal of least privilege and proper classification. While there have been a few major headlines based on the content of the leaked reports, the vast majority of the news has been about the scope of the leak: Hundreds and hundreds of thousands of pages, at varying levels of confidentiality and secrecy. While there are a lot of benefits to making information easy to access, risk analysis is essential. Should such a large number of people have been giving access to such a massive database? Were risk scenarios ever played out? Many, if not most, of the documents would have had little conceivable use to Manning’s day-to-day operations, but these sensitive documents (now causing headaches around the world) were available to potentially millions of people (Note: I have doubts about that figure, but it appears the real number was still large). If WikiLeaks hadn’t dumped the data, someone else probably would have – or already has, quite possibly into the hands of even unfriendlier parties.
Users should be given all the access they need to do their jobs – but no more. If they need more, they can ask and be given temporary access, but that extra barrier of oversight could have nipped much of this leak in the bud. Another technique would have to more finely classified and doled out access to the documents. Many are not sensitive at all, but mixing them all in with a roughly-grained access control mechanism blurs control policies and makes it easier to conceal serious breaches amid routine usage.
3. Take into account the consumerization of IT. The military has typically been at the forefront of understanding and blocking consumerized IT risks, such as USB drives, Furbies and more. But in this case, those bans and policies still weren’t enough, as Manning allegedly faked listening to Lady GaGa as a pretext for his uploading. Beware Google Guerillas and all others who take IT into their own hands: They are, intentionally or not, one of the greatest points of data leakage, even as they try and boost their own productivity. The best approach here is often a mix of education, policies to discourage or prevent dangerous consumerization, and an understanding of where risks can be mitigated while making jobs easier for everyone. Pure blocking often doesn’t work, but a compromise, while still protecting your secure systems from threats, can go a long way.
So now that you’ve read my advice, how would you have prevented WikiLeaks’ latest disclosures from happening? And more importantly, what are you doing to stop the next leak from happening right on your own network?