Wikileaks fallout: Keeping your secrets safe

At minimum, the Wikileaks loss should sound an alarm for access control of privileged users such as web and system administrators, says Xceedium's Ken Ammon.
Written by Ken Ammon, Contributor
Commentary - What do Metallica and the U.S. government have in common?

They are both fighting to control information once it has been placed on the Internet. Like Napster, which rocked the music industry by enabling piracy and was eventually sued by the band Metallica, the current Wikileaks crisis concerning the unauthorized access and downloading of 250,000 sensitive and classified diplomatic cables and other files is simply another example of a controversial yet highly efficient and hard to stop Internet distribution engine for the global sharing of data.

Both Metallica and the U.S. government have gone after these Internet distribution systems in an attempt to regain control of content they own. But it’s a losing battle. For Metallica, not much has been done to stop the millions of people who illegally access and share music files. Internet users know several Napster replacements exist that still amass files and enable the sharing of them. When something people want—music or data—becomes public, you can be sure that people will find a way to share it.

Clearly, once information is available online—whether government cables or music—the people who own the information have lost all control over it. They can discuss new laws to accommodate new technologies, ethics and so on, but an equally pertinent question is “what could we have done to prevent this in the first place?”

The fundamental issue remains that in most organizations, trust is granted to staff allowing them access to mass amounts of an organization’s most sensitive data. And now the adoption of mobile and cloud computing pave the way for trusted staff to transfer and share data on the Internet. How do you manage trust to so much data and how do you recover your sensitive data once it is posted on the Internet? You can’t put the genie back in the bottle, so the real question should be, “What are we doing to keep it in?”

In the early 1990’s both blackhats and whitehats (cyber-savvy individuals who use their knowhow for bad or good, respectively) played around with ways to extract information from systems and were amazed at the assets they could access. It didn’t require a high level of sophistication to generate a virus and exploit weaknesses in systems. As the security market continued to expand, most of the early demand was for solutions to problems that didn’t threaten to siphon sensitive information or steal intellectual property. Rather, the problems that people paid money to fix were annoyances that took up the IT or security department’s time or that cut into employee productivity. Still, this was enough to fuel significant investment in security products to thwart issues like denial-of-service and destruction of data. Now, for the most part, companies seem to have established at least a reasonable state of availability to servers, storage, and communication services. Headlines don’t frequently talk of a virus getting into a system and shutting the whole network down anymore.

Still, we have yet to get ahead of the problem of a capable, motivated attacker who in some cases is sponsored by foreign governments. Today, we’re all talking about what happened with Wikileaks and many are focusing on the “Wiki” and not the leaks. And, while providers have shown good faith by shunning DNS and hosting services to the Wikileaks site, what will follow is a game of whack-a-mole. Case in point, Napster music sharing was replaced with platforms such as Limewire and BitTorrent. The Wikileaks loss represents yesterday’s clumsy virus. Quite simply, the leak originated from a low- level analyst trusted to follow policy. And while the security community is all-a-buzz around emerging advance persistent threats capable of sophisticated and coordinated attacks on nuclear plants (Stuxnet) let us not forget that we continue to be at great risk from much less sophisticated threats like trusted

insiders with access control enforced with basic tools such as handbooks and written policy. The sticky area has always been the way organizations grant trust and the amount of power given to a user once that trust has been granted. There has to be a shift in paradigm. Companies should still aim to establish trust—with background investigations and such—when they engage with partners, employees, etc. But organizations can no longer extend that level of trust to things as powerful as information systems and technology, and in particular, those trusted to administer and manage these platforms.

Commonly, a system admin gets a background check, gains clearance and is handed the ultimate access to government or company information and infrastructure. Not anymore. Companies need to move to a zero-trust model to enforce written policy with technology. At a minimum, the Wikileaks loss should sound an alarm for access control of privileged users such as web and system administrators. The potential for loss is too great to expect that all people are going to pay attention to a memo or follow the employee handbook. After all, it only took one bad seed for Wikileaks to occur.

Just last month, the Executive Office of the President, Office of Management and Budget issued a memo for the heads of departments and agencies regarding Wikileaks and misuse of classified information. The memo includes the following immediate instruction in support of zero trust:

• Each department or agency that handles classified information shall establish a security assessment team consisting of counterintelligence, security, and information assurance experts to review the agency’s implementation of procedures for safeguarding classified information against improper disclosures. Such review should include (without limitation) evaluation of the agency’s configuration of classified government systems to ensure that users do not have broader access than is necessary to do their jobs effectively, as well as implementation of restrictions on usage of, and removable media capabilities from, classified government computer networks.

There are a lot of issues that need to be addressed by a solution to the gamut of Internet security challenges and the need to share data. At a minimum, though, organizations should tackle high-risk challenges posed by well understood threats that are easy to solve—like controlling administrator and privileged access to data and systems with today’s existing technologies that are not prohibitively expensive. In fact, a proper privilege management platform designed to control, contain, and audit access to assets and systems needed to perform one’s job, could have prevented the Wikileaks leak.

Ken Ammon is the chief strategy officer at Xceedium

Editorial standards