Earlier this year, the actions of a 22-year-old brought WikiLeaks, a previously obscure website, into the public spotlight. Pfc. Bradley Manning, an Army intelligence analyst, allegedly downloaded hundreds of thousands of files from classified U.S. government computer systems onto a CD labeled "Lady Gaga" and provided them to WikiLeaks, which promptly posted them on the Internet, causing scandals within the military and diplomatic corps. The incident left many security professionals around the world wondering about the vulnerability of their own organizations to a similar attack.
While your business secrets might not be as sensational as those exposed by Private Manning, you surely have information that you wouldn't want disclosed to the public, your clients or your competitors. What lessons can you and your business take away from the recent WikiLeaks disclosures and the government's response?
The Government's Response
In the wake of the Sept. 11 attacks on the United States, the intelligence community was lambasted before Congress for compartmentalizing information in a manner that prevented analysts in many agencies from seeing the full picture of intelligence gathered from multiple sources. In their final report, the members of the 9/11 Commission stated that "even the best information technology will not improve information sharing so long as the intelligence agencies’ personnel and security systems reward protecting information rather than disseminating it." These words triggered a pendulum swing within the intelligence community toward the open sharing of information among agencies, arguably a swing that went so far as to allow Private Manning to steal hundreds of thousands of classified documents that he might not have had access to in earlier times.
So, how did the government react to the WikiLeaks disclosures? Part of their response was an effort to unring the bell — demanding that WikiLeaks remove the documents from the Internet and turn over any classified U.S. government information in the organization's possession. Not surprisingly, WikiLeaks leader Julian Assange refused those requests, claiming journalistic protections. The second half of the federal response involved a number of countermeasures designed to protect against similar leaks in the future. These steps included:
- Cutting off access from military computer networks to State Department systems;
- Blocking the use of removable media on military computer systems;
- Implementing a two-person control system that requires the collaboration of two authorized individuals to initiate a bulk transfer of classified information; and
- Installation of a host-based security system (HBSS) on military computer systems.
Some of these actions, especially the drastic cutting off of access to State Department systems, might be seen as a knee-jerk reaction that moves the government back into the protective state that the 9/11 Commission criticized so harshly. Whether or not you think the government security pendulum has swung too far in the opposite direction, there are lessons that you can learn from the federal experience with WikiLeaks.
The Lessons of WikiLeaks
Is your business in the sights of WikiLeaks contributors? Do you have a Bradley Manning on your payroll? These are the questions keeping security administrators awake at night as we turn the calendar pages to 2011. There are three specific lessons you should take to heart to protect your organization from this type of public embarrassment or corporate espionage.
1. Implement strong personnel security. This is often one of the most overlooked areas of security because, quite frankly, it's boring. Nobody wants to spend time performing background investigations on new employees or monitoring the behavior of existing staff, but this might be the single most important action you can take to protect your business data. If you stop personnel with questionable backgrounds from entering your organization in the first place, you've done quite a bit to protect yourself from the insider threat. Some of the actions you might take in this area include:
- Conducting consistent, strong background checks for any staff who will have access to sensitive information. Screenings you should consider include reference checks, criminal history searches and credit checks.
- Maintaining proactive monitoring by management for unusual or disturbing behavior. If an employee begins to act irrationally or shows major changes in lifestyle (such as an administrative assistant showing up at work driving an expensive sports car), supervisors should assess the situation and know where in the organization they can turn for help, if needed.
2. Limit access to sensitive information on a need-to-know basis. The government tried both extremes of this philosophy — locking down access very tightly and a free-for-all, everyone-can-access-everything approach. Learn from their mistakes and find a middle ground that allows staff the latitude to access information that they may need to perform their jobs but tightly limits access to the most sensitive information. Here are some specific ideas:
- Use role-based access controls to manage access to information. Rather than assigning permissions to each user on an individual basis, which can quickly become unmanageable, role-based groups allow you to assign permissions based upon roles in your organization and then assign users to those roles.
- Conduct permission audits on a regular basis. You should plan to review all of the role assignments in your organization, as well as the permissions assigned to each role, on at least an annual basis. These reviews often turn up forgotten permission settings that can be revoked or modified.
3. Build a strong technology base for your security program. Once you've hammered out a program that addresses the personnel and access issues associated with information security, use technology to monitor them on an ongoing basis. Some ideas to consider are:
- Data loss prevention (DLP) products, such as those available from Symantec or McAfee, which allow you to discover, monitor and manage confidential information in your computing environment whether on servers, endpoints, the web or e-mail.
- File server logging, which tracks access to sensitive information. This may prove invaluable in the aftermath of an incident to help you identify the perpetrator.
As the publicity fades from the WikiLeaks disclosure, it's likely that the government's security pendulum will swing back toward center. When incidents like this occur to others, they provide an excellent opportunity to reflect upon our own security programs and identify opportunities that can improve our defenses.