WikiLeaks’ continued posting of classified U.S. Department of State cables, and the whistleblower Web site’s revelation that it will soon post sensitive internal documents from a major U.S. bank , has stoked data security concerns among governments and large businesses around the world.
WikiLeaks has not disclosed how it obtained tens of thousands of State Department cables or the bank documents that it claims to hold.
However, a relatively low-level U.S. Army intelligence officer, charged in an earlier leak of classified documents to WikiLeaks, is suspected in leaking the State Department data to the site.
Private First Class Bradley E. Manning also claims to have illegally accessed and downloaded the State Department cables while stationed at a military base in Baghdad. Bradley was arrested earlier this year, after a former hacker he had confided in turned him into authorities.
Manning allegedly claimed to have had Top Secret clearance to access SIPRNET, a classified network used by the Department of Defense and the State Department, and to the Joint Worldwide Intelligence Communications System used by the two agencies for Top Secret/Sensitive Compartmentalized Information.
Even with his top secret clearance, the apparent fact that Manning was so easily able to pull off one of the largest data leaks ever, indicates serious security problems, said Tim O’Pry, CTO at the Henssler Financial Group in Kennesaw, Ga.
O’Pry, a former U.S. Air Force cryptanalyst stationed at the National Security Agency, said that based on available information, “the systems simply were poorly designed to maintain and control the information.”
Manning’s access to a significant amount of information showed that access to the highly classified networks was not controlled on a need-to-know basis, he said.
For enterprise IT managers, the WikiLeaks disclosures highlight the importance of adopting a “trust, but verify” approach to information security, O’Pry said. “This doesn’t mean you need to be paranoid or distrust your employees – just the opposite: trust, but verify. And, let them know you verify,” he added.
The financial controls in place at Henssler Financial include segmenting and restricting access to information based on job roles. All data access and attempts to access are routinely logged and checked.
“When it comes to client information, we know who looked at it, when they looked at it, and if it was printed or copied,” O’Pry said. Henssler also runs credit and background checks of all employees at least once per year to identify issues that could lead to potential problems, he added.
“The attention on disgruntled employees going postal garners mass media attention,” O’Pry said. “But for every gun-wielding maniac there are thousands of employees who get ticked off enough to do harm to a company” in other ways.
The gaps in information security that likely led to the disclosing of classified information to WikiLeaks could easily turn up in corporations as well, said Doug Powell, manager of smart grid security at BC Hydro in Vancouver.
“Even if information is appropriately classified and stored to an appropriate level, access to information requires effective monitoring,” he said.
While it is important to have properly defined roles, privileges and access levels, secondary protocols are needed to control the way data is manipulated in a trusted environment, he said.
For example, Powell said that classified data needs to contain “tags” to prevent it from moving outside of a protected domain without scrutiny or permissions. “The more sensitive the data being protected, the more layers of protection it should have” he said.
Equally important is the need for controls to monitor even the most trusted of personnel, Powell said. “Being ‘trusted’ should not imply less scrutiny, it should imply greater scrutiny given that greater trust assigned to an individual allows for a greater potential for loss,” he said.
Matt Kesner, CTO at Fenwick & West, a San Francisco based law firm, said the WikiLeaks incidents should further prove to enterprise IT managers that “secrecy can’t be assumed in data systems.”
“Clear policies, auditable systems and real management oversight are necessary to assure that secrets stay secret,” he said.
“More executives, particularly IT executives, but also those in HR, benefits, finance and marketing departments, should question” who has access to a company’s most important data, he said. “This can’t be a witchhunt. Everyone needs to know that there are usually big trade-offs between security on one hand and availability and ease of use on the other.”
The threat of data leaks by corporate insiders has long been a serious issue among security experts. Numerous studies have shown that the biggest risk to sensitive corporate data comes from careless, negligent and/or malicious insiders, not from external hackers.
Ubiquitous small removable storage devices, such as USB drives, and smart phones have greatly exacerbated the problem. Manning, for instance, is alleged to have downloaded the state department documents onto a thumb drive and rewritable disks that are easy to transport without attracting attention.
The use of such devices is exploding, according to survey results released by security vendor Credant Technologies earlier this week.
Credant’s survey of over 225 individuals found that more than half own between three and six memory sticks. and 21% own 10 or more. More than 85% of respondents said their companies allow the devices to be used corporate systems. And 10% said they have lost USB devices containing corporate data, most of whom said they did not report the loss.