Wikileaks and the authorized insider threat
Data security beyond DLP requires orchestration of many moving parts, say Craig Shumard and Serge Beaulieu
By Craig Shumard and Serge Beaulieu
January 13, 2011 — CSO —
The recent military and U.S. State Department Wikileaks fiasco epitomizes a key challenge to data security and privacy today: the authorized insider threat.
Massive amounts of secret documents: 250,000 embassy cables, 91,000 documents relating to the Afghanistan war, and almost 400,000 documents relating to the Iraq war, were taken and leaked to Wikileaks. And this may just be the tip of the iceberg—Wikileaks founder Julian Assange reportedly has an encrypted 1.4 gigabyte 'insurance' file that will be decrypted and leaked if he dies.
All this information came from 'authorized users'. Allegedly, a low-level intelligence analyst, an Army private no less, had access and downloaded all the Iraq and Afghanistan war documents to CDs or DVDs. He may also be responsible for the State Department leak.
The authorized insider threat is not unique to the government or the military. All organizations are susceptible—virtually any organization that has sensitive business information such as earnings releases, merger and acquisition plans, strategic plans, attorney/client documents, personal identifiable information, sensitive internal emails, et cetera, is at risk. Notably, Wikileaks has said that their next target for posting whistle-blowing documents will be a large US financial institution.
Moreover, not all leaked information has to be sensitive to be damaging. Damage may occur from leaked intellectual property, or embarrassing things such as blunt emails that can be taken out of context, or internal debates on controversial issues that are not meant for public consumption.
Even if you know who has access to what, can an organization know what their employees did, what documents they read, printed, or copied?
Why organizations are at risk
Organizations are at risk because they have both sensitive information and people who have authorized access to it. Even assuming that access to sensitive information is adequately protected, organizations are still at risk, because a determined disgruntled or uninformed authorized user can still find ways to steal or lose information.
The challenge is to evolve the layers of information security defenses to reduce that exposure.
We know that the government and the military have the essential security safeguards in place. They classify their information, restrict access to it using role-based or other discretionary access controls, have policies and procedures to properly handle classified information, and have network technical safeguards—to name a few. Yet a massive leak still occurred.
Why weren't these massive leaks, at a minimum, detected, and, optimally, prevented? The simple reason is that information security practices and tools have not kept pace with the threat.