Many CISOs have told us that their executives are asking for reassurances
that this type of large-scale data disclosure is not possible in their organisation.
Some executives have even asked the security team to provide presentations
to management educating them on their existing security controls against similar
attacks.
Responding to these questions is tricky: “It’s like treading on a thin ice,”
commented one CISO. If you tell them everything is under control you may
create a false sense of security. If you tell them that it is very likely that such
an incident can happen within their organisation - it may be a career limiting
move.
I would recommend giving the executives a dose of reality. I do many security
assessments for our clients and often find that many organisations are solely
relying too much on technology and infrastructure protections they have.
Today’s reality is very different. We often operate in a global context with
large and complex IT environments making it hard to monitor and track
data and we are sharing a tremendous amount of sensitive information with
business partners and third parties. All of these realities were faced by the
US government as well and probably all contributed to the circumstances
hat led to the disclosure of data. As many of you try to extract the lessons
learned from this episode, here is my take on it - It is a failure of not a single
security control but a set of multiple preventative and detective lapses.
Failure of preventative controls: Governance, Oversight and Access
Control
Many people are shocked at the fact that a single person had access to all
this information. Did Bradley Manning (the person alleged to have leaked
this information), a 23-year-old Private First Class, need all of this
information and unrestricted access to the Secret Internet Protocol Router
Network (SIPRNet) to perform his job?
How come over a period of months he kept this access unnoticed? Don’t
we have a “need to know” policy for some of this sensitive stuff? Why
was he allowed to download data from the cable application in the first
place? Shouldn’t the military be using some thin client to limit some of
this information from being downloaded?
Now, all these questions are valid questions and you would expect the
military to have some of these controls already in place. But interestingly,
if you ask these questions about your own environment pertaining to
sensitive data within your organisation many of you will realise that these
areas are huge gaps for many enterprise environments as well.
Failure of detective controls: Network security, Data security
and Applications
Information security often relies on detective controls to monitor and alert
them of anomalies, inconsistencies, and events that they can further
investigate or react to. In this case it seems like many of the detective
controls were also missing or breached.
A little sidebar here; many companies tend to believe that if we block
access to something or allow limited access to something, that means
we don’t need to worry about it. Wrong thinking! I suspect that’s what
happened here - Bradley Manning claims to have copied this information
onto writable CDs.
DoD lifted an outright ban on removable media only in February, allowing
it in very limited circumstances. By establishing this policy DoD thought
they had taken care of this risk. Many companies I talk to today are doing
the same thing with social media - “We block it and that’s why we don’t
need to worry about it.” This could be a recipe for disaster.
So what other detective controls could have prevented such a disclosure?
Granted Bradley Manning was an “insider,” I would still assume that since
this information was classified there would be some monitoring in place -
especially if a large volume of this data is being copied on an external
medium.
Either that monitoring did not work or there were serious lapses in the
monitoring. Security information management (SIM) probably wouldn’t
have found this leak unless they were really lucky as it doesn’t monitor
the network activity that closely. But a technology such as data leak
prevention (DLP) can alert you if someone is burning 1.6 GB of
confidential/sensitive data onto an external medium.
Similarly, network anomaly detection tools can alert you on “unusual”
activity from an individual user as well. But ultimately we need to
acknowledge that all of these detective controls may still be useless
if we have a malicious insider who knows what he/she is doing.
I think this should serve as a serious wakeup call for us to stop
relying on a single control and build our defences in layers - where
each control serves to strengthen the overall security posture.
Let’s go back and revisit how we have implemented our people,
process, and technology controls to mitigate the risks of such
disclosures. We also need to set realistic expectations with
management on risk mitigation and acknowledge that we cannot
guarantee 100% security because of all these variables and constraints.
I’d be interested to know if the data disclosures at Wikileaks changed
anything for you. Are you doing anything differently? Has it given you
more visibility? Budget? Or it has created difficult questions for you?
0 comments:
Post a Comment