At the center of the WikiLeaks controversy is U.S. Army Private First Class Bradley Manning, the man suspected of having passed the whistle-blower Website a massive collection of U.S. embassy cables.
Manning has been in military custody for the past several months with charges of transferring classified information to his personal computer and passing it on to an unauthorized source hanging over his head. But it was not monitoring software that exposed Manning; in fact it was an informant, former hacker Adrian Lamo, who Manning allegedly bragged to via instant message.
The situation underscores the problems surrounding access controls and malicious insiders, and it has prompted the U.S. Office of Management and Budget (OMB) to issue amemorandum (PDF) to the heads of the country’s executive departments and agencies requiring them to review “the agency’s configuration of classified government systems to ensure that users do not have broader access than is necessary to do their jobs effectively, as well as implementation of restrictions on usage of, and removable media capabilities from, classified government computer networks.”
In a chat log between Lamo and Manning published by Wired magazine, Manning reportedly wrote that he would come in with a CD labeled “with something like ‘Lady Gaga’ … erase the music … then write a compressed split file.”
The OMB memo was not the first time government officials have taken a hard look at removable media. For example, the military banned USB devices temporarily in 2008 in response to malware attacks. But banning removable media and storage devices will not deter someone from using them if that policy is not enforceable, said Michael Maloof, CTO at TriGeo Network Security.
“Real-time monitoring and blocking is not only possible, it’s essential, and it’s the only way to ensure that sensitive data is never transferred to an unauthorized device,” he said.
From an attack perspective, personal, portable devices are far too easy to hide in a bag or pocket, noted Hugh Garber, product marketing specialist at Ipswitch File Transfer.
“Portable devices increase risk,” he said. “Easily lost or stolen USB drives, external hard drives, smartphones and even using personal e-mail accounts can increase security risk, compliance risk and data breach risk. Portable personal devices relinquish visibility, [the ability to be audited] and compliance because they aren’t being integrated into overall file transfer monitoring or reporting.”
Controlling data leaks also means managing access.
“Simply put, organizations must ask, ‘What does this person need to accomplish their stated mandate, and nothing more?’ and then again deploy the right management tools to ensure they have what they need while adhering to the organization’s policies. Identity is again the key to making this work well,” said Grant Ho, director of solutions and product marketing for End User Computing Solutions at Novell.
In its latest data breach report, Verizon reported that roughly 48 percent of data breaches during 2009 involved someone internal maliciously abusing his or her right to access corporate information. Technology aside, identifying people in an organization who may leak or steal confidential data is far from an exact science.
“This is one of the biggest problems … there isn’t a profile or common traits [of malicious insiders],” said Ho. “In fact, sometimes people gain access to information without knowing that they shouldn’t. There are times when you should be more careful, such as if an employee is laid off or fired. Disgruntled employees will look for ways to compromise data. [But] profiling this is incredibly difficult.”
“There’s a fine line between trusted insider and malicious insider,” added Jack Hembrough, CEO of VaporStream. “System Administrator is a powerful position, and someone’s got to occupy it. Rather than trying to identify who might ‘go bad,’ I think it’s more productive to help honest people stay honest by managing what the System Administrator can do.”