Tactical Advice

What Your Business Can Learn from WikiLeaks

Use these lessons to protect your company from possible public embarrassment or corporate espionage.

Earlier this year, the actions of a 22-year-old brought WikiLeaks, a previously obscure website, into the public spotlight. Pfc. Bradley Manning, an Army intelligence analyst, allegedly downloaded hundreds of thousands of files from classified U.S. government computer systems onto a CD labeled "Lady Gaga" and provided them to WikiLeaks, which promptly posted them on the Internet, causing scandals within the military and diplomatic corps. The incident left many security professionals around the world wondering about the vulnerability of their own organizations to a similar attack.

While your business secrets might not be as sensational as those exposed by Private Manning, you surely have information that you wouldn't want disclosed to the public, your clients or your competitors. What lessons can you and your business take away from the recent WikiLeaks disclosures and the government's response?

The Government's Response

In the wake of the Sept. 11 attacks on the United States, the intelligence community was lambasted before Congress for compartmentalizing information in a manner that prevented analysts in many agencies from seeing the full picture of intelligence gathered from multiple sources. In their final report, the members of the 9/11 Commission stated that "even the best information technology will not improve information sharing so long as the intelligence agencies’ personnel and security systems reward protecting information rather than disseminating it." These words triggered a pendulum swing within the intelligence community toward the open sharing of information among agencies, arguably a swing that went so far as to allow Private Manning to steal hundreds of thousands of classified documents that he might not have had access to in earlier times.

So, how did the government react to the WikiLeaks disclosures? Part of their response was an effort to unring the bell — demanding that WikiLeaks remove the documents from the Internet and turn over any classified U.S. government information in the organization's possession. Not surprisingly, WikiLeaks leader Julian Assange refused those requests, claiming journalistic protections. The second half of the federal response involved a number of countermeasures designed to protect against similar leaks in the future. These steps included:

  • Cutting off access from military computer networks to State Department systems;
  • Blocking the use of removable media on military computer systems;
  • Implementing a two-person control system that requires the collaboration of two authorized individuals to initiate a bulk transfer of classified information; and
  • Installation of a host-based security system (HBSS) on military computer systems.

Some of these actions, especially the drastic cutting off of access to State Department systems, might be seen as a knee-jerk reaction that moves the government back into the protective state that the 9/11 Commission criticized so harshly. Whether or not you think the government security pendulum has swung too far in the opposite direction, there are lessons that you can learn from the federal experience with WikiLeaks.

The Lessons of WikiLeaks

Is your business in the sights of WikiLeaks contributors? Do you have a Bradley Manning on your payroll? These are the questions keeping security administrators awake at night as we turn the calendar pages to 2011. There are three specific lessons you should take to heart to protect your organization from this type of public embarrassment or corporate espionage.

1. Implement strong personnel security. This is often one of the most overlooked areas of security because, quite frankly, it's boring. Nobody wants to spend time performing background investigations on new employees or monitoring the behavior of existing staff, but this might be the single most important action you can take to protect your business data. If you stop personnel with questionable backgrounds from entering your organization in the first place, you've done quite a bit to protect yourself from the insider threat. Some of the actions you might take in this area include:

  • Conducting consistent, strong background checks for any staff who will have access to sensitive information. Screenings you should consider include reference checks, criminal history searches and credit checks.
  • Maintaining proactive monitoring by management for unusual or disturbing behavior. If an employee begins to act irrationally or shows major changes in lifestyle (such as an administrative assistant showing up at work driving an expensive sports car), supervisors should assess the situation and know where in the organization they can turn for help, if needed.

2. Limit access to sensitive information on a need-to-know basis. The government tried both extremes of this philosophy — locking down access very tightly and a free-for-all, everyone-can-access-everything approach. Learn from their mistakes and find a middle ground that allows staff the latitude to access information that they may need to perform their jobs but tightly limits access to the most sensitive information. Here are some specific ideas:

  •  
    • Use role-based access controls to manage access to information. Rather than assigning permissions to each user on an individual basis, which can quickly become unmanageable, role-based groups allow you to assign permissions based upon roles in your organization and then assign users to those roles.
    • Conduct permission audits on a regular basis. You should plan to review all of the role assignments in your organization, as well as the permissions assigned to each role, on at least an annual basis. These reviews often turn up forgotten permission settings that can be revoked or modified.

3. Build a strong technology base for your security program. Once you've hammered out a program that addresses the personnel and access issues associated with information security, use technology to monitor them on an ongoing basis. Some ideas to consider are:

  •  
    • Data loss prevention (DLP) products, such as those available from Symantec or McAfee, which allow you to discover, monitor and manage confidential information in your computing environment whether on servers, endpoints, the web or e-mail.
    • File server logging, which tracks access to sensitive information. This may prove invaluable in the aftermath of an incident to help you identify the perpetrator.

As the publicity fades from the WikiLeaks disclosure, it's likely that the government's security pendulum will swing back toward center. When incidents like this occur to others, they provide an excellent opportunity to reflect upon our own security programs and identify opportunities that can improve our defenses.

 

Mike Chapple is an information security professional and co-author of the CISSP Study Guide and Information Security Illuminated.
Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.