Wikileaks' story increases Internet security concerns
December 6, 2010
The very controversial website Wikileaks has continued posting classified U.S. Department of State documents, and now the whistleblower's revelation that it will soon post additional sensitive internal documents from a major U.S. bank, is rapidly increasing Internet security concerns among governments and large businesses around the globe.
To this day, Wikileaks still hasn't disclosed how it obtained tens of thousands of State Department documents or the bank documents that it claims it holds.
But now a low-level U.S. Army intelligence officer, charged in an earlier leak of classified documents to WikiLeaks, is suspected in leaking the State Department data to the Wikileaks site, a federal felony.
Bradley Manning also claims to have illegally accessed and downloaded the State Department cables while stationed at a military base in Baghdad. Bradley was arrested earlier this year, after a former hacker he had confided in turned him into the U.S. authorities.
In a security pro's online conversations with the ex-hacker, Adrian Lamo, Manning is alleged to have boasted about the unprecedented access he had to classified networks for up to fourteen hours a day.
Manning allegedly claimed to have had Top Secret clearance to access SIPRNET, a classified network used by the Department of Defense and the State Department, and to the Joint Worldwide Intelligence Communications System used by the two agencies for Top Secret/Sensitive Compartmentalized Information.
Even with his top secret clearance, the apparent fact that Manning was so easily able to pull off one of the largest data leaks ever, indicates serious security problems, said Tim O'Pry, CTO at the Henssler Financial Group in Kennesaw, GA.
O'Pry, a former U.S. Air Force cryptanalyst stationed at the NSA (National Security Agency), said that based on available information, "the systems simply were poorly designed to maintain and control the information."
Manning's access to a significant amount of sensitive data showed that access to the highly classified networks was not controlled on a need-to-know basis as it should have been, he said.
The critical gaps in sensitive information security that likely led to the disclosing of classified information to WikiLeaks could easily happen in businesses and various other organizations as well, said Doug Powell, manager of smart grid security at BC Hydro in Vancouver.
For enterprise IT managers, the Wikileaks disclosures greatly underscore the importance of adopting a "trust, but verify" approach to information security, O'Pry said. "This doesn't mean you need to be paranoid or distrust your employees - just the opposite: trust, but verify everything to be on the safe side.
Additionally, make sure you let them know that you verify everything," he added.
The financial controls in place at Henssler Financial include segmenting and restricting access to information based on job roles. All data access and attempts to access are routinely logged and checked.
"When it comes to client data, we know who looked at it, when they looked at it, and if it was printed or copied," O'Pry said. Henssler also runs credit and background checks of all employees at least once per year to identify issues that could lead to potential problems, he added.
"The attention on unhappy or disgruntled employees voicing their frustrations or issues garner mass media attention," O'Pry said. "But for every unhappy employee there are thousands of other employees who get ticked off enough to do harm to an employer in other ways, and that is what's really important here."
"Even if sensitive information is appropriately classified and stored to an appropriate level, access to information requires effective monitoring and simply should not be made available to people that don't have security clearance to it," he said.
And while it sure is important to have properly defined roles, privileges and access levels, secondary protocols are still needed to control the manner that data is manipulated, copied, printed or emailed in a trusted environment, he said.
For instance, Powell said that classified data needs to contain "ID tags" to prevent it from moving outside of a protected domain without scrutiny or permissions. "The more sensitive the data being protected, the more layers of security it should have" he said.
Equally important is the ultimate need for controls to monitor even the most trusted and the highest-ranking personnel, Powell insisted. "Being 'trusted' should not imply less scrutiny, it should imply greater scrutiny given that greater trust assigned to an individual allows for a greater potential for loss," he said.
Matt Kesner, CTO at Fenwick & West, a San Francisco based law firm, said that the Wikileaks incidents should further prove to enterprise IT managers that "100 percent secrecy simply cannot be assumed in any IT system today."
"More executives, particularly IT executives, but also those in human resources, benefits, finance and especially marketing departments, should all question "who has access to a company's most important data," he said. "This can't be a witchhunt. Everyone needs to know that there are usually big trade-offs between security on one hand and availability and ease of use on the other."
The imminent threat of data leaks by corporate insiders has long been a serious issue among security experts, and one that continues to keep them up at night. Numerous studies have proven that the biggest risk to sensitive corporate data comes from careless, negligent and/or malicious insiders, and not from external hackers.
Ubiquitous small removable storage devices, such as USB drives, and smartphones have greatly exacerbated security issues in the last year. Manning, for instance, is alleged to have downloaded the state department documents onto a thumb drive and rewritable disks that are easy to transport without attracting attention.
Source: B.C. Hydro.
You can link to the Internet Security web site as much as you like.