A few years ago, you may have been reading about the economic collapse with passing interest. At the time, it was an issue with the financial institutions that were passing out high-risk loans. Then it was the credit agencies, then the homeowners and, eventually, everyone. For many, it didn’t really hit home until your home, job or salary was lost. It just seemed so far away, and we didn’t see the train headed straight for us.
Now, another train is coming and I’m telling you right now, it’s headed in your direction. WikiLeaks has brought new meaning to the concept of insider threat by providing a convenient vehicle to empower staff to quickly and instantly hand over privileged information. According to WikiLeaks founder Julian Assange, half of their leaks are on private companies and a major American bank is the next to be exposed in early 2011.
Whether you support or condemn Julian’s actions and the WikiLeaks phenomenon, the important thing is, your company could be next. Given the volume of leaks WikiLeaks has on private companies, if you work for a Global 2000 corporation, there’s a good chance WikiLeaks already has some dirt.
Governmental Response to WikiLeaks
Governmental response to WikiLeaks
So far, the government’s approach has been characteristic of a militaristic response to a national security threat: hunt down the leader, cut off resources and supplies, go after funding and other supporters. This is also the knee-jerk human nature response to a breach: go after the individuals thought to be held responsible for the breach.
The problem is, there will always be more soldiers or staff who will leak information. There will always be more Website hosts, more bank accounts, more financial supporters and more Julians. Even if Julian was captured and the Website shut down, I suspect that Julian has set a precedence that will inspire another to take his place.
The existence of hackers is taken for granted-just a part of the harsh world in which we live. Now the existence of online portals that make it easy for insiders to share privileged information is as well. So, for those of us who aren’t involved in trying to put the WikiLeaks founder behind bars, how do we protect our data from being leaked by those who have legitimate access?
Least Privilege
Least privilege
Unfortunately, you can’t ever completely eliminate the chance that someone will leak documents to WikiLeaks. In order for any organization to function, they will need individuals to be able to access information. There will always be a chance that any given individual will decide to make that information available to more people than they should.
All we can do is drastically reduce the odds. Even while the government tries to stop WikiLeaks, they offer WikiLeaks a green field of opportunity with excessive internal access. The more people with access to any particular piece of information, the more likely that data will reach the public eye.
“Least privilege” is the best practice of cutting excessive access rights by giving staff members only the privileges they need to do their jobs and not an inch more or less. The lack of granularity in policy here often provides staff access to severalfold the amount of data they really need. Say you reduce the average employee’s access rights by 80 percent. Theoretically, you’ve reduced the volume of information being leaked to WikiLeaks by an approximately equal proportion because employees can only leak the amount of information to which they have access.
Only the companies that perform the worst at protecting their secrets will gain the spotlight of the next mega leak because the site only does major leaks on companies where they’ve compiled enough sources and information. An 80 percent reduction in information leaked to WikiLeaks is really almost a guaranteed safeguard since a major leak won’t occur on the basis of scraps of information.
What the IT security team will need to work out is how to make drastic cuts in access to prevent leaks to WikiLeaks-without blocking employees from the information they need to be productive and that will require implementing more detailed policies.
Accountability
Accountability
When we were at VMWorld conducting a short, informal survey, participants were overwhelmingly aware of the responsibility they carried and the tremendous value of the data to which they had access. IT staff boasted that the data they presided over was worth plenty more than $20 million. What we didn’t hear is, “but I would get busted for sure.” In fact, many felt it would be relatively easy to get away with it.
Having accountability after the fact isn’t an option. Employees need to know in advance that they carry a great burden, that violating the burden will result in discharge and that they will be caught. This entails having log-ins, monitoring, approvals and other processes that make it really clear about who has access to what and when. After the fact forensics are fine, but staff members need to feel the accountability beforehand and know that they won’t get away with it before the attempt is even made.
Indirect leaks
Obviously, WikiLeaks sources are shrouded in mystery. Often, one major unveiled leak is the combination of hundreds of smaller leaks about the same organization or event. The only thing we know about how the leaks occur is that someone goes to WikiLeaks.org and submits materials. Even WikiLeaks doesn’t keep records of where the submissions come from.
On that note, it’s reasonable to suspect that not all the leaks come directly from employees. Malware developers and hackers who are after profit often get confidential data for which they don’t have any use. WikiLeaks has made it very easy and convenient for any party to contribute to expose company secrets.
In addition to the insider threat, we all need to take a long, critical look at how we protect our data from outsiders-even friends and family of staff-to keep our company secrets, secret.
Jim Zierick is Executive Vice President of Product Operations at BeyondTrust. Jim is responsible for the development, methodology and process of one of BeyondTrust’s solution suites. Jim also leads global initiatives to drive growth and technical thought leadership. Prior to joining BeyondTrust, Jim served as a serial CEO at Nirvanix, LogicalApps and Aspyra. Jim has also held senior positions at Oracle, Peregrine Systems and Hewlett-Packard. He can be reached at jzierick@beyondtrust.com.