In the past few days, almost every conversation I have had with a CISO has somehow stumbled onto the topic of the data breach at the US Department of Defense (DoD) and subsequent release of that information through WikiLeaks. Many CISOs have told us that their executives are asking for reassurances that this type of large-scale data disclosure is not possible in their organization. Some executives have even asked the security team to provide presentations to management educating them on their existing security controls against similar attacks. Responding to these questions is tricky: “It’s like treading on a thin ice,” commented one CISO. If you tell them everything is under control you may create a false sense of security. If you tell them that it is very likely that such an incident can happen within their organization – it may be a career limiting move.
I would recommend giving the executives a dose of reality. I do many security assessments for our clients and often find that many organizations are solely relying too much on technology and infrastructure protections they have. Today’s reality is very different. We often operate in a global context with large and complex IT environments making it hard to monitor and track data and we are sharing a tremendous amount of sensitive information with business partners and third parties. All of these realities were faced by the US government as well and probably all contributed to the circumstances that led to the disclosure of data.
As many of you try to extract the lessons learned from this episode, here is my take on it – It is a failure of not a single security control but a set of multiple preventative and detective lapses.
Failure of preventative controls: Governance, Oversight and Access Control
Many people are shocked at the fact that a single person had access to all this information. Did Bradley Manning (the person alleged to have leaked this information), a 23-year-old Private First Class, need all of this information and unrestricted access to the Secret Internet Protocol Router Network (SIPRNet) to perform his job? How come over a period of months he kept this access unnoticed? Don’t we have a “need to know” policy for some of this sensitive stuff? Why was he allowed to download data from the cable application in the first place? Shouldn’t the military be using some thin client to limit some of this information from being downloaded?
Now, all these questions are valid questions and you would expect the military to have some of these controls already in place. But interestingly, if you ask these questions about your own environment pertaining to sensitive data within your organization many of you will realize that these areas are huge gaps for many enterprise environments as well.
Failure of detective controls: Network security, Data security and Applications
Information security often relies on detective controls to monitor and alert them of anomalies, inconsistencies, and events that they can further investigate or react to. In this case it seems like many of the detective controls were also missing or breached.
A little sidebar here; many companies tend to believe that if we block access to something or allow limited access to something, that means we don’t need to worry about it. Wrong thinking! I suspect that’s what happened here – Bradley Manning claims to have copied this information onto writable CDs. DoD lifted an outright ban on removable media only in February, allowing it in very limited circumstances. By establishing this policy DoD thought they had taken care of this risk. Many companies I talk to today are doing the same thing with social media – “We block it and that’s why we don’t need to worry about it.” This could be a recipe for disaster.
So what other detective controls could have prevented such a disclosure? Granted Bradley Manning was an “insider,” I would still assume that since this information was classified there would be some monitoring in place – especially if a large volume of this data is being copied on an external medium. Either that monitoring did not work or there were serious lapses in the monitoring. Security information management (SIM) probably wouldn’t have found this leak unless they were really lucky as it doesn’t monitor the network activity that closely. But a technology such as data leak prevention (DLP) can alert you if someone is burning 1.6 GB of confidential/sensitive data onto an external medium. Similarly, network anomaly detection tools can alert you on “unusual” activity from an individual user as well. But ultimately we need to acknowledge that all of these detective controls may still be useless if we have a malicious insider who knows what he/she is doing.
I think this should serve as a serious wakeup call for us to stop relying on a single control and build our defenses in layers – where each control serves to strengthen the overall security posture. Let’s go back and revisit how we have implemented our people, process, and technology controls to mitigate the risks of such disclosures. We also need to set realistic expectations with management on risk mitigation and acknowledge that we cannot guarantee 100% security because of all these variables and constraints.
I’d be interested to know if the data disclosures at WikiLeaks changed anything for you. Are you doing anything differently? Has it given you more visibility? Budget? Or it has created difficult questions for you?