Stopping the next WikiLeaks

I’m very conflicted about WikiLeaks’ decision to publish confidential U.S. diplomatic cables. On the one hand, I’m a huge proponent of the free, legal flow of information and a supporter of private citizens gathering and releasing facts documenting illegal acts committed by a ruling government. On the other hand, I’m troubled by the fact that Julian Assange and WikiLeaks are making decisions that are harming people — with no accountability. Suppose they got their hands on active nuclear bomb codes, jet fighter radio codes, or plans on how to make a portable atomic bomb? I’d like to think that even Assange and WikiLeaks would show restraint. But would they?

Some readers have asked how to prevent future WikiLeaks-like events, either in the government or in their own private corporations. The short answer: It’s difficult to accomplish because you essentially have to defend against all attack types. Nothing would be off the table. For example, in at least one case, a trusted insider is suspected of downloading information and providing it to WikiLeaks. That’s hard to defend against.

[ Robert X. Cringely sees the start of Web War III in the WikiLeaks scandal. | Get the spin on key tech news that you’ll find nowhere else at InfoWorld’s Tech Watch blog. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Stop data leaks through the use of encryption

An organization could implement a few mechanisms to provide potential protections. Certainly, encryption is one option. Encryption makes it harder for unauthorized persons to view or use confidential information. Cryptographically protected documents are a good start — but not by themselves. If a trusted insider has the cryptographic keys, it’s game over if you’re relying solely on encryption.

For example, the WikiLeaks cables release is proving that access to information should be limited to as few people as absolutely necessary. In the few confidential cables I’ve seen in the public media, many of them had hundreds to possibly thousands of recipients. It’s hard for me to believe that any truly worthwhile, confidential information should ever be sent out to hundreds of people. That’s just asking for a leak.

Other advanced cryptographic solutions show promise. One is the use of digital watermarks, which uniquely imprints a protected document so that each copy can be traced back to the user who retrieved it. At the same time, users and reviewers should have a hard time finding out how the protected document was branded, and they would be deterred from sharing such documents, as it would put their jobs and reputations at risk.

But watermarking doesn’t work in all cases. For one, there are still ways to share the information without releasing or copying the original document, such as through screenshots, photographs, simple retyping, and so on. Second, some people simply won’t care if they are caught. And finally, some users are plain dense. Even if they’re told digital watermarking is in use, they’ll forget and share the document regardless. The Screen Actors Guild has been digitally watermarking film review copies for years, with strong penalties for improper distribution — yet people get caught leaking documents.

In any case, even if a document is digitally watermarked, it can be shared and the confidential information revealed. Digital watermarking is not access control.

Another solution is to implement some sort of digital rights management (DRM). Much of the world hates DRM, and it garnered a reputation for causing problems, even when protected documents are being used legitimately. Still, DRM technologies are convenient in making it harder to share unauthorized copies. Strong DRM should be used to protect confidential information.

Among the DRM products out there is Microsoft’s Rights Management Service (RMS); other vendors with competing products include Oracle and Check Point. (As a full-time Microsoft employee, I’m most familiar with the company’s DRM offering.) RMS allows you to digitally encrypt selected document formats in such a way that it’s possible to prevent reading, copying, and printing of content at a future date. The author or distributor of a protected document can cryptographically determine who can view and read (and copy and print) a particular document. Each time an allowed reader opens the document, the RMS client checks with a parent server to see if the user still has the necessary rights to view and read the document.

In the WikiLeaks scenario, it may have been possible to deny the carrier of the documents the ability to view and copy them further, as soon as their unauthorized use was suspected. Even if the traitor was able to give the documents to other unauthorized parties, the documents could have been rendered unreadable.

RMS isn’t infallible, but it prevents trivial misuse (once known). Using a solution such as RMS also might make it possible to determine where the unauthorized documents are being opened, as the IP addresses may be able to be learned as the documents are opened and the RMS clients dial home. I’m sure there are many similar products available, and I welcome alternate vendors to reply in the article comments.

Monitor data transfer patterns for signs of leakage

Yet another method to prevent leaks is to detect unusual transfer patterns — for example, large amounts of data moving to suspicious locations. In many cases, such as that of WikiLeaks, significant amounts of data are copied to a single workstation. If this load of data retrieval is detected, it could notify the incidence response team to visit the user’s desktop.

In order for this type of notification mechanism to be useful, it would have to be secretly implemented, legitimate use would have to be well-defined, and lots of false positives accepted. Still, many intentional data leaks could be stopped with such a mechanism in place.

A related method is to place “red herring” data within large data sets. The red herring is fake data that only exists to be used as an early-warning indicator. Data leak tools could look for the transmission of this information and alert upon its transfer or viewing.

Lastly, companies could require that all data stored to removable media be encrypted and readable on only the company’s own systems. Several encryption products (such as McAfee’s PGP, Microsoft’s BitLocker, and more) have this enforcement ability. This particular solution would require that the protected data not be convertible to a non-encrypted form or allow other transfer methods — email, FTP, and so on — of the unencrypted data.

If you can’t use encryption enforcement to protect data, at least prevent employees from bringing, using, and leaving with unauthorized removable media. Most employers are far too casual about permitting the use of USB thumb drives. Employees should not be bring in or leave with writeable CD-ROMs or USB hard drives. It happens all the time, but it leads to the introduction of malware, including the Stuxnet worm, and the removal of confidential data.

Ultimately, WikiLeaks-type attacks are difficult to prevent. Determined malicious hackers can almost always get inside their intended target to steal data using the credentials of others. Trusted insiders are even harder to stop. Notably, based on the various FBI digital crime reports I’ve read, many trusted insiders caught stealing data had made earlier threats to damage a company. They were known to be disgruntled employees.

Train leaders and coworkers to look out for signs of angry employees with an ax to grind and access to confidential data. If employees make what appear to be merely empty threats, take them seriously anyway. Remove the users’ access to the protected data until they can prove they’re trustworthy again. If nothing else, increase monitoring to make sure they aren’t making unauthorized downloads of large data sets.

I’m sure many readers will take me to task for suggesting that every frustrated employee be treated as a criminal — heck, I’ve been a frustrated employee more than once. However, if you want to make sure your organization doesn’t end up as the next WikiLeaks target, caution pays dividends in this new pain point in the digital world.

Therein lies the frustration of this whole situation: Much of what I have written here goes against everything I believe in, such as monitoring suspected employees, preventing the casual use of removable media, and reporting frustrated coworkers — so I sit hear confused as ever. Readers, let me know what other, better solutions you have.

This story, “Stopping the next WikiLeaks,” was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com.