By this time most of us have heard plenty about the WikiLeaks disclosures, but a quick recap may be in order.
According to a recent LA Times article, Army Pfc. Bradley Manning, a disgruntled intelligence analyst with the 10th Mountain Division in Iraq, is accused of using his computer access to download large volumes of material from a secure military network known as SIPRnet, for Secret Internet Protocol Network. The actions led to the largest breach of secret national security information in American history.
According to reports, the theft of the material fueled a series of WikiLeaks disclosures, including hundreds of thousands of State Department documents revealing a hidden world of backstage international diplomacy. The leaks included candid comments from world leaders and details of occasional U.S. pressure tactics overseas. If you are not already familiar, WikiLeaks describes itself as “a non-profit media organization dedicated to bringing important news and information to the public”. The organization claims to provide an anonymous way for independent sources to leak information.
The LA Times states that the lesson of WikiLeaks is clear: In the cyber age there are few things so damaging as a determined insider with the right passwords.
Once again, here is validation of my mantra that too many people have too much access, for too long, to too much sensitive data, with too little justification and too few controls.
In my role at a company that provides software to manage privileged identities, we frequently see the consequences of failures to control access to sensitive data. Unfortunately WikiLeaks-style insider breaches occur almost every day in organizations large and small. All too often root causes are addressed only when data loss gets outed by the press or outside parties apply pressure to introduce the necessary controls.
The problem of the information age is that yesterday’s processes can no longer keep pace with ever greater volumes of sensitive data, present in more and more places, being accessed by ever greater numbers of people. Today only automated systems with sophisticated and constantly improving controls can provide a real solution.
Systems exist to provide data loss protection (DLP), heuristic tracking of behavior on the Internet, and the analysis of database behavior. These systems look for unusual patterns and generate events that can trigger restrictions and human responses. Such systems are not cheap, and require highly trained and motivated staff to operate.
Today’s trends point toward ever more outsourcing and cost reduction in IT, so it’s no surprise that so many security gaps are ignored and eventually exploited. I doubt that anyone would be so naive as to think that our mortal enemies have not already taken advantage of these weaknesses. We can only hope that both government and industry take notice and begin to renew their investments in human resources and modern technology.