Worst Practices: Learning the Wrong Lessons from WikiLeaks

Security5 minutes readMar 7th, 2011

The dark cloud of the WikiLeaks debacle should have a bright silver lining. The exposure of classified Department of Defense and State Department data by WikiLeaks gives us a teachable moment on information security — not just for government agencies, but for any organization that stores, handles, and processes sensitive information.

The vast amount of classified data — over 75,000 Defense Department incident reports and more than 115,000 classified diplomatic cables — and the damage caused by their exposure reveals common flaws in how organizations typically handle sensitive information. But as with past data breaches, many organizations will learn the wrong lessons. And the actions they take as a result will make their organizations less productive and, perhaps, even less secure.

They’ll severely curtail information sharing within and between their organizations. They’ll put “additional safeguards” in place to prevent insiders from exposing sensitive data. They’ll do more briefcase checks, tighten password policies, and perform internal paper audits of policy compliance.

These knee-jerk responses to an event such as WikiLeaks aren’t best security practices in any sense of the word. Instead of simply putting more locks on more doors, organizations need to start with two things:

  1. Find and fix the fundamental problems in how their workflow around sensitive data is regulated and monitored.
  2. Find and fix the fundamental problems in how existing security policies are applied and enforced.

With the benefit of retrospect, we now have a foundation that can help prevent the next WikiLeaks-style breach.

  • Reduce network complexity to apply security policies consistently. Many of the problems that made the WikiLeaks exploit possible were issues already being addressed by the DoD before the breach occurred. But because of the magnitude and heterogeneity of DoD’s networks, consistent implementation of security policies has proven difficult. Organizations can dramatically reduce security risks — even those posed by insider threats — by simplifying the physical complexity of their networks, and by reducing the number of supported configurations of systems they need to manage.
  • Use role-based access instead of clearance-level access and “communities of interest.” The alleged WikiLeaks source reportedly was astonished by the “so broad and yet so rich” data set that was made available to him. He was an intelligence analyst with a unit in Iraq, yet much of the data he is alleged to have pinched — including State Department cables regarding diplomatic relationships with countries outside the region — were irrelevant to his role, despite his Top Secret/ SCI clearance. Even if some parts of the data he was working with were relevant to his role as an intelligence analyst in Iraq, there’s no conceivable reason that one analyst should have access to every document classified “Secret.” Likewise, there’s there’s no reason for a business analyst to have access to customers’ credit card numbers when evaluating purchase patterns. In cases where there are legitimate needs for data across roles, organizations should put strict governance over auditing and continuous monitoring. Indeed, had the DoD compartmentalized information into VPNs (virtual private networks) within the secure network, the WikiLeaker’s alleged access could have been curtailed. Collaboration outside of specific geographic or operational areas of interest would not have been possible. By allowing collaboration with people actually working with data, and excluding them when their assigned tasks don’t include work with the data, the risk of a WikiLeaks-scale exposure is markedly diminished.
  • Continuously monitor information access. Having an audit trail of who accesses what information when is not alone sufficient to prevent data breaches. It’s like an idiot light on a dashboard: It glows red after something happened. Organizations need to monitor what’s being done with data, and alert on behaviors that fall outside the norm. Data loss prevention (DLP) software can automate some of this monitoring. It can flag unusual volumes or types of data access by users, and prevent the transfer of metadata-tagged content from the network.
  • Control removable media. DoD officials say the data exposed by WikiLeaks was downloaded to optical disks from a computer connected to the DoD’s Secret Internet Protocol Router Network (SIPRNet). In December, the DoD reinstated a ban against using removable media with classified systems, after dropping a ban that had been imposed after a 2008 malware attack on SIPRNet. Removable media can be locked down automatically through a number of security policy enforcement tools.

These steps only work if they’re consistently applied across the enterprise, constantly refined, and consistently automated. Even the most rigorous security practices and policies fail if they’re static.

As Sanjeev “Sonny” Bhagowalia, Deputy Associate Administrator of the General Services Administration’s Office of Citizen Services and Innovative Technologies, recently said, “Compliance is a beautiful place to hide, but it doesn’t mean you’re secure.”

The more automated the implementation and adjustment of security measures are to users, the more effective they’ll be in the long term. And the more transparent those changes are to use, the less that they’ll adversely impact the organization’s mission in the process.

Tags-   Clearance-level access Communities of interest Department of Defense Department of State General Services Administration GSA Insider threats Metadata Network complexity Password Removable media Role-based access Sanjeev Bhagowalia Security policy SIPRNet Virtual private networks VPNs WikiLeaks