Rethinking Access Controls: How WikiLeaks Could Have Been Prevented

 
 
By Ken Ammon  |  Posted 2011-02-15
 
 
 

Rethinking Access Controls: How WikiLeaks Could Have Been Prevented


The simple and unfortunate truth is that the WikiLeaks crisis could have been prevented altogether. While hindsight is 20/20, there are critical lessons learned that today's organizations and government agencies should understand in order to prevent future incidents.

"History repeats itself," as the popular saying goes. WikiLeaks is no exception. The WikiLeaks crisis concerns the unauthorized access and downloading of 250,000 sensitive and classified diplomatic cables and other files. It has a strikingly similar resemblance to the Napster crisis, which enabled piracy and was eventually sued by the band Metallica.

So, what exactly do Metallica and the United States government have in common? They are both fighting to control information once it has been placed on the Internet. Like Napster, WikiLeaks is simply another example of a controversial, yet highly efficient Internet distribution engine for the global sharing of data. It's also hard to stop.

Both Metallica and the United States government have gone after these Internet distribution systems in an attempt to regain control of content they own. However, it's a losing battle. For Metallica, not much has been done to stop the millions of people who illegally access and share music files. Internet users know several Napster replacements exist that still amass files and enable the sharing of them. When something people want-music or data-becomes public, you can be sure that people will find a way to share it.

WikiLeaks Could Have Been Prevented with Better Access Controls


WikiLeaks could have been prevented with better access controls

Clearly, once information is available online-whether government cables or music-the people who own the information have lost all control over it. They can discuss new laws to accommodate new technologies, ethics and so on, but an equally pertinent question is, "What could we have done to prevent this in the first place?"

Organizations industry-wide are abuzz with what happened with WikiLeaks. Unfortunately, many are focusing on the "Wiki" and not the leaks. Providers have shown good faith by shunning DNS and hosting services to the WikiLeaks site. What will follow is a game of Whack-A-Mole. Case in point: Napster music sharing was replaced with platforms such as LimeWire and BitTorrent.

The WikiLeaks loss represents yesterday's clumsy virus. Quite simply, the leak originated from a low-level analyst trusted to follow policy. While the security community is focused on emerging, persistent threats capable of sophisticated and coordinated attacks on nuclear plants (Stuxnet), let us not forget that we continue to be at great risk from much less sophisticated threats such as trusted insiders with access controls that are enforced with basic tools such as handbooks and written policy.

A Paradigm Shift Is Needed


A paradigm shift is needed

The sticky area has always been the way that organizations grant trust and the amount of power given to a user once that trust has been granted. There has to be a shift in paradigm. Companies should still aim to establish trust-with background investigations and such-when they engage with partners, employees, etc. However, organizations can no longer extend that level of trust to things as powerful as information systems and technology and, in particular, those trusted to administer and manage these platforms.

Commonly, a system admin gets a background check, gains clearance and is handed the ultimate access to government or company information and infrastructure. Not anymore. Companies need to move to a zero-trust model to enforce written policy with technology.

At a minimum, the WikiLeaks loss should sound an alarm for access control of privileged users such as Web and system administrators. The potential for loss is too great to expect that all people are going to pay attention to a memo or follow the employee handbook. After all, it only took one bad seed for WikiLeaks to occur.

Companies Need to Move to a Zero-Trust Model


Companies need to move to a zero-trust model

On November 28, 2010, the Executive Office of the President (in the Office of Management and Budget) issued a memo to the heads of executive departments and agencies regarding WikiLeaks and misuse of classified information. The memo includes the following immediate instruction in support of zero-trust:

"Each department or agency that handles classified information shall establish a security assessment team consisting of counterintelligence, security and information assurance experts to review the agency's implementation of procedures for safeguarding classified information against improper disclosures. Such review should include (without limitation) evaluation of the agency's configuration of classified government systems to ensure that users do not have broader access than is necessary to do their jobs effectively, as well as implementation of restrictions on usage of, and removable media capabilities from, classified government computer networks."

There are many issues that need to be addressed by a solution that run the gamut of Internet security challenges and the need to share data. At a minimum, though, organizations should tackle high-risk challenges posed by well understood threats that are easy to solve-such as controlling administrator and privileged access to data and systems with today's existing technologies that are not prohibitively expensive.

In fact, a proper privilege management platform designed to control, contain and audit access to assets and systems needed to perform one's job could have prevented the WikiLeaks crisis altogether.

Ken Ammon is Chief Strategy Officer at Xceedium. A recognized expert in security issues, Ken joined Xceedium from LookingGlass, a high-technology consulting firm that advises corporations and private equity funds on emerging security trends and technologies. Prior to LookingGlass, Ken was founder and president of managed security services provider NetSec.

A noted security expert in matters relating to the federal government, Ken has testified before the House Government Reform Committee on dramatic security vulnerabilities affecting sensitive government information and infrastructure. Ken has also served as an adjunct faculty member at the National Cryptologic School where he was recognized with the Scientific Achievement Award. Ken began his career in the United States Air Force where he was a captain assigned to the National Security Agency. He can be reached at kammon@xceedium.com.

Rocket Fuel