WikiLeaks stands as a warning for all of us responsible for protecting the digital assets and intellectual property (IP) of our organizations.
It is tempting to think that WikiLeaks, and the explosion of similar whistleblower and vigilante sites, as only interested in information from government, military, or political organizations. But a recent Forbes interview with WikiLeaks founder Julian Assange has a warning for us all.
Assange told Forbes that his organization has document stashes from major pharmaceutical, financial, and technology companies, and that the number of internal documents being leaked to WikiLeaks is exploding exponentially.
The handwriting is on the wall. Corporate America can no longer regard leaks as occasional aberrations happening to a handful of unfortunate government targets. We live in an age of consumerization, where mission-critical systems are increasingly accessible to anyone with a web-savvy device and a logon; where consumer apps are regularly processing enterprise data.
It’s now possible for any disgruntled employee to digitize or download sensitive documents using nothing more than a smartphone, tablet, or thumb drive. Likewise, they can digitally record phone calls and meetings surreptitiously. And they can photograph or videotape facilities, security procedures and even logon sequences using easily concealed consumer devices.
What they steal they can publish worldwide, anonymously, with ease and speed. It takes just minutes to marshal a blog, microblog, social network, or wiki to organize, publish, share, and promote purloined information. A few years ago, this type of data extraction, transformation, and loading was the domain of data warehousing and knowledge management experts. Now anyone with an axe to grind, access to corporate assets, and consumer technology can do it.
The threat is not exclusively from employees, activists, or competitors. As a recent article in The Philadelphia Inquirer pointed out, consumers — your customers — are using smart devices and social media to conduct and publish surveillance on the organizations they deal with.
The likelihood that your organization will fall victim to these activities rises by the day. What is happening with WikiLeaks and similar crowdsourced services is a perfect storm of poor (read: obsolete) security policies colliding with the consumerized enterprise. Recognizing this risk, there are specific actions that your organization can take today to secure its IP. These include:
A Broader Threat Profile
Let’s consider each of these bullet points individually, starting with the threat itself. We spend a lot of time and effort protecting our organizations from outside threats, but the source of the material posted on WikiLeaks was an insider — a private first class with authorized access to the information (though certainly not the authorization to download it and publish it).
We need to realize that the trusted insider is as legitimate a threat as the untrusted outsider. Insiders have the access and opportunity to find and use proprietary information that could do real damage when placed in the wrong hands.
Obviously, employees need access to information to do their jobs. But we often give them access to a lot more data than they really need, and we often fail to review that access and update it accordingly over time. We must expand our focus in security beyond simple data protection, data security, and identity management.
It is no longer sufficient to simply authenticate that users are who they say they are. We also need to know exactly what information they should have access to as part of their job responsibilities. And we need to know what they are doing with that information, and where they are doing it.
This starts by adopting the notion that data is in a hostile or unknown environment even when inside our own firewall on our own internal network. We have to be able to protect that data at all times. From an enterprise perspective, we need to secure data while it is at rest, in motion, and in use.
As an example, there is a wealth of general information about the U.S. government to be found on the Internet as well as floating around internally throughout the government. All of it seems innocuous in and of itself. But it’s been said that an antagonist could piece all that information together, and suddenly gain a fuller picture of what could be classified information.
Businesses have this same problem. There might be a lot of sales, marketing, opportunity, portfolio, or strategy documents that, on their own, might be fine to disseminate to an organization internally or externally.
But anyone with an agenda could snoop around using the organization’s social and enterprise collaboration tools, its website, its various public feeds (Twitter, LinkedIn, job boards and postings, etc.) and start piecing together a bigger picture. Soon they might be able to connect the dots of a strategic plan that should be closely held and well secured.
Extending Endpoint Security to Consumer Devices
What can be done in an era when a tiny thumb drive or smartphone can be used to bring a secure network to its knees? Clearly we need to extend security to cover the new consumer devices of today and those to come.
The first step with smartphones is to authenticate that the user is who he says he is. With mobile devices, identity management is a bit more difficult. You can’t necessarily use a smart card to allow an on-site or remote employee to swipe an ID card and connect securely.
That said, we can implement policies that extend to these devices. We can put a digital certificate on them, so we know the smartphone is a trusted device that’s permitted to connect to our network and get e-mail, for example, or browse certain network shares.
We might have additional layers of security as well. We can have a policy that requires a complex password or touch-screen gesture to access the device. We can require the device to automatically lock itself and require the user to re-authenticate after some period of time or inactivity. And we can enforce these policies for any device that connects to our networks, even if the devices are owned by the employee.
Biometrics is becoming an option for smartphones, tablets, netbooks, and laptops that have integrated cameras and microphones (and today, most new devices do). First and foremost, requiring the capture of a digital photo at logon can associate a face with the transaction. And the built-in audio/video capabilities of mobile computing devices are getting so good that companies can start considering using them for face, image, and voice authentication.
When dealing with smartphones and tablets specifically, organizations can use integrated GPS and other location services to control what information can be disseminated to users. Consider an attempt to access a confidential report via an iPhone. The request originates from a location that, according to the user’s access profile, is not on a list of approved locations or does not otherwise fit the user’s movement pattern.
The request is therefore suspect. Maybe it’s not really the employee or the employee’s device. Or perhaps the device was lost or stolen. It could easily be someone else trying to impersonate the employee to access the information. Since the request originates outside the scope of the employee’s authorized locations, the request can be denied, or additional authentication measures can be required (i.e., multi-factor authentication).
Let’s take it a step further. Suppose we’re in a company facility that has tight digital rights management on its data to prevent unauthorized printing, e-mailing, or downloading of documents. The loophole: The employee’s mobile phone or tablet has a high-resolution camera on it. It’s a simple matter to snap photos of documents or screens and neutralize the DRM protections.
But what if the facility has a location-based policy and supporting technology in effect? A policy that uses location-based services will disable the camera on any device the moment anyone enters the facility. When they leave the building the camera will function normally. The process is invisible and unobtrusive to the user, and closes one of the bigger security loopholes evident in most organizations today.
Yet another use of location-based policy might be to allow employees to view and edit documents on their screen while they are within a secure facility, but prohibit that data from being stored locally, and deny access entirely when they are not within the building.
An analogous approach is to look for changes in an employee’s usage patterns. There are quite a number of tools becoming available that can analyze employees’ work patterns — what files they access, how many e-mails they send, what kind of attachments they send, who they communicate with, what internal and external resources they access, where they work, and so on.
When an anomaly is detected, the security team could be alerted to the anomalous behavior, and check to ensure that it was a legitimate business activity. Maybe it’s legitimate, and the employee is simply working with a new team in a different part of the building, and must work with people and documents they didn’t need to before. Or maybe they’re downloading a few gigabytes of secret diplomatic cables.
Keeping Pace with Changing Threat Profiles
The pace of change in consumer technology is breathtaking. Security policies need to keep up. If they don’t, there is only one outcome: The organization will be vulnerable. This is the most important rule to bear in mind.
The trouble is, most organizations will do the absolute minimum to meet compliance requirements. With financial institutions, they often build into their financial model the level of fraud that is acceptable for them to still make a profit. They only begin looking at security solutions when the fraud threatens their ability to make money. Sadly, they’re not alone in this mentality.
WikiLeaks has changed the equation by increasing the potential damage and the risk of IP theft. The consumerization of devices and applications is driving a new and evolving threat profile — one that demands unceasing diligence and evolution of policy, and the technology required to support it.