What enterprises should take away from the CIA leak

The recent document leak detailing CIA spying campaigns and hacking techniques has fostered conversations and news stories on how to balance intelligence gathering with privacy, as well as discussions on the agency’s extensive spying capabilities. What hasn’t been discussed as much is what enterprises (and governments in one case) can learn from the WikiLeaks Vault 7 leak.

To me, three key takeaways are that leaks can happen to any organization, figuring out what entity carried out an attack is difficult to do, and we’re in an era when nation-state weapons end up in the hands of criminals. Collectively, these development make practicing information security more complex than ever. Now, let’s explore each one in more detail.

Figure out the impact of a leak on your organization

Every company is vulnerable to leaks. Whether a disgruntled employee releases your company’s secret sauce recipe or there’s a whistleblower who thinks your company has lost its way, there’s the potential for trade secrets to end up in the public sphere.

From a technical standpoint, preventing leaks from happening is challenging. You can prevent employees from using USB drives and FTP or monitor their email to see if any sensitive information is being improperly shared with outside entities. But just like a motivated hacker, a motivated employee will figure out how to get this information out of the company.

While taking proactive steps to prevent leaks is highly important, companies should also run scenarios that look at how they would be impacted by a leak that exposes key data and develop a response plan in the event of a leak.

Could there be public backlash if the leak shows the company was engaged in activities that some people would consider unethical? After Edward Snowden, for example, leaked information on U.S. government intelligence operations, civil liberty groups, law makers, tech companies and foreign governments demanded accountability. Companies involved in projects that could spark ethical concerns should talk about the potential fallout if the public learned about this work and how to quickly recover. Would the stock price tumble? Would revenue be hit? Would customers cancel contracts?

Or could a leak seriously jeopardized the organization’s main mission? The CIA may find itself in this situation after the Vault 7 leak. With information about the tools and techniques the CIA used to conduct operation publicly available, companies will use this information to patch flaws and harden the security of their products. This would force the CIA to develop new tools and procedures for carrying out its objectives. Companies need to consider how to react if their intellectual property were shared publicly, providing competitors with a chance to study their plan and even incorporate them into their products.

You may never know who attacked you

While every company would like to learn who attacked them, attribution is complicated to nearly impossible to pull off. Often, hackers make every effort to hide their tracks, and deception is an essential component of any campaign. Attackers want to make sure that if they’re discovered, someone else is blamed. That’s why Russian hackers include snippets of Chinese in their malware code. This give the appearance that China is the perpetrator.

Deception is also part of the CIA’s campaigns, according to WikiLeaks. Supposedly, an internal CIA group called UMBRAGE steals the tactics used by nation-states attackers to fool security analysts into wrongly attributing CIA attacks to those countries.

For organizations, this should drive home the point that they may never truly know who attacked them. The reality is bad guys have too many methods for deceiving the good guys. Not placing so much emphasis on attribution may go against human nature, since people want some form of justice after a crime is committed. But attribution, I’ve said before, does nothing to bolster a company’s security.

Businesses need to be ready for when nation-state exploits are used against them

Nation-states hoard hardware and software zero-day exploits and use them in their operations to take full control of devices. If these exploits or knowledge of them is leaked to the public, attackers have access to this information, as well, and could use it to attack organizations.

This happened with the Vault 7 leak. At the moment, WikiLeaks isn’t disclosing the technical details of the zero-day exploits contained in the leaked documents. WikiLeaks founder Julian Assange has promised to shares this information with vendors, allowing them to fix the vulnerabilities in their software and hardware. But the documents WikiLeaks did release describe these exploits.

Theoretically, attackers could use this information to reverse-engineer the exploit. In fact, two weeks ago Cisco warned customers that a software flaw discussed in the Vault 7 leak allows the CIA to fully take over more than 300 of the company’s switches. There’s no fix to address the issue, but Cisco said it will release a software update that patches the vulnerability.

When a nation-state, zero-day exploit becomes public information, companies need to be prepared. They should immediately contact the impacted vendor to see if a patch is available, and if one has been developed, apply it immediately. And if a patch isn’t available, businesses need to find out if there’s a work-around they can use.

This a good time to stress that every organization needs to develop a complete incident response plan, test it at least once a year, and modify it as new threats emerge or the business changes. An incident response plan is especially prudent if threat actors end up leveraging a nation-state zero-day exploit in an attack.

Security incidents, especially ones that involve zero days, are already stressful. Not having a detailed plan in place for how to handle these situations only adds to the stress and confusion. Your company’s executives’ and security teams’ first exposure to the incident response team shouldn’t be when there’s breach

Consider how a security incident could impact your business

Whether a security incident is as severe as a data breach or something that seems less harmful, like a leak of CIA spying tactics, companies should always consider how it will impact them. And if companies don’t see a connection between their defense and a security incident, they shouldn’t be afraid to ask, “Could this happen here?” Use an event as an opportunity to bolster your organization’s protection capabilities.