Wikis: It is a wakeup call, will that make our jobs sier?

Almost every conversation I have had with a CISO has somehow stumbled
onto the topic of the data brch at the US Department of Defence (DoD)
and subsequent relse of that information through Wikis.

Many CISOs have told us that their executives are asking for rssurancesthat this type of large-scale data disclosure is not possible in their organisation.Some executives have even asked the security tm to provide presentations to management eduing them on their existing security controls against similarattacks.
Responding to these questions is tricky: “It’s like trding on a thin ice,”commented one CISO. If you tell them everything is under control you maycrte a false sense of security. If you tell them that it is very likely that suchan incident can happen within their organisation - it may be a career limitingmove.
I would recommend giving the executives a dose of rlity. I do many securityassessments for our clients and often find that many organisations are solelyrelying too much on technology and infrastructure protections they have.
Today’s rlity is very different. We often operate in a global context withlarge and complex IT environments making it hard to monitor and trackdata and we are sharing a tremendous amount of sensitive information withbusiness partners and third parties. All of these rlities were faced by theUS government as well and probably all contributed to the circumstanceshat led to the disclosure of data. As many of you try to extract the lessonslrned from this episode, here is my take on it - It is a failure of not a singlesecurity control but a set of multiple preventative and detective lapses.
Failure of preventative controls: Governance, Oversight and AccessControl
Many people are shocked at the fact that a single person had access to allthis information. Did Bradley Manning (the person alleged to have this information), a 23-yr-old Private First Class, need all of thisinformation and unrestricted access to the Secret Internet Protocol RouterNetwork (SIPRNet) to perform his job?
How come over a period of months he kept this access unnoticed? Don’twe have a “need to know” policy for some of this sensitive stuff? Whywas he allowed to download data from the cable appliion in the firstplace? Shouldn’t the military be using some thin client to limit some ofthis information from being downloaded?
Now, all these questions are valid questions and you would expect themilitary to have some of these controls alrdy in place. But interestingly,if you ask these questions about your own environment pertaining tosensitive data within your organisation many of you will rlise that thesrs are huge gaps for many enterprise environments as well.
Failure of detective controls: Network security, Data securityand Appliions
Information security often relies on detective controls to monitor and alertthem of anomalies, inconsistencies, and events that they can furtherinvestigate or rct to. In this case it seems like many of the detectivecontrols were also missing or brched.
A little sidebar here; many companies tend to believe that if we blockaccess to something or allow limited access to something, that mnswe don’t need to worry about it. Wrong thinking! I suspect that’s whathappened here - Bradley Manning claims to have copied this informationonto writable s.
DoD lifted an outright ban on removable media only in February, allowingit in very limited circumstances. By establishing this policy DoD thoughtthey had taken care of this risk. Many companies I talk to today are doingthe same thing with social media - “We block it and that’s why we don’tneed to worry about it.” This could be a recipe for disaster.
So what other detective controls could have prevented such a disclosure?Granted Bradley Manning was an “insider,” I would still assume that sincethis information was classified there would be some monitoring in place -especially if a large volume of this data is being copied on an externalmedium.
Either that monitoring did not work or there were serious lapses in themonitoring. Security information management (SIM) probably wouldn’thave found this unless they were rlly lucky as it doesn’t monitorthe network activity that closely. But a technology such as data prevention (DLP) can alert you if someone is ing 1.6 GB ofconfidential/sensitive data onto an external medium.
Similarly, network anomaly detection tools can alert you on “unusual”activity from an individual user as well. But ultimately we need toacknowledge that all of these detective controls may still be uselessif we have a malicious insider who knows what he/she is doing.
I think this should serve as a serious wakeup call for us to stoprelying on a single control and build our defences in layers - wherech control serves to strengthen the overall security posture.
Let’s go back and revisit how we have implemented our people,process, and technology controls to mitigate the risks of suchdisclosures. We also need to set rlistic expectations withmanagement on risk mitigation and acknowledge that we cannotguarantee 100% security because of all these variables and constraints.I’d be interested to know if the data disclosures at Wikis changedanything for you. Are you doing anything differently? Has it given youmore visibility? Budget? Or it has crted difficult questions for you?