Wikileaks and the authorized insider threat

Data security beyond DLP requires orchestration of many moving parts, say Craig Shumard and Serge Beaulieu

The recent military and U.S. State Department Wikileaks fiasco epitomizes a key challenge to data security and privacy today: the authorized insider threat.

Massive amounts of secret documents: 250,000 embassy cables, 91,000 documents relating to the Afghanistan war, and almost 400,000 documents relating to the Iraq war, were taken and leaked to Wikileaks. And this may just be the tip of the iceberg--Wikileaks founder Julian Assange reportedly has an encrypted 1.4 gigabyte 'insurance' file that will be decrypted and leaked if he dies.

All this information came from 'authorized users'. Allegedly, a low-level intelligence analyst, an Army private no less, had access and downloaded all the Iraq and Afghanistan war documents to CDs or DVDs. He may also be responsible for the State Department leak.

Also see Wikileaks fallout: DLP helps but doesn't solve

The authorized insider threat is not unique to the government or the military. All organizations are susceptible--virtually any organization that has sensitive business information such as earnings releases, merger and acquisition plans, strategic plans, attorney/client documents, personal identifiable information, sensitive internal emails, et cetera, is at risk. Notably, Wikileaks has said that their next target for posting whistle-blowing documents will be a large US financial institution.

Moreover, not all leaked information has to be sensitive to be damaging. Damage may occur from leaked intellectual property, or embarrassing things such as blunt emails that can be taken out of context, or internal debates on controversial issues that are not meant for public consumption.

Even if you know who has access to what, can an organization know what their employees did, what documents they read, printed, or copied?

Why organizations are at risk

Organizations are at risk because they have both sensitive information and people who have authorized access to it. Even assuming that access to sensitive information is adequately protected, organizations are still at risk, because a determined disgruntled or uninformed authorized user can still find ways to steal or lose information.

The challenge is to evolve the layers of information security defenses to reduce that exposure.

We know that the government and the military have the essential security safeguards in place. They classify their information, restrict access to it using role-based or other discretionary access controls, have policies and procedures to properly handle classified information, and have network technical safeguards--to name a few. Yet a massive leak still occurred.

Why weren't these massive leaks, at a minimum, detected, and, optimally, prevented? The simple reason is that information security practices and tools have not kept pace with the threat.

This is because policies and procedures, data classification, RBAC (role-based access control) or other discretionary access controls (see note below), data loss protection, event monitoring, etc., are not in of themselves sufficient. While they reduce the exposure to some degree, they are too imprecise to effectively address the authorized insider threat.

Leaking sensitive information is not new. Many high profile leaks have occurred in the past, including, the Pentagon papers during the Vietnam War, Enron financial dealings, and Deep Throat in the Watergate case.

What is new is that a tremendous amount of information can easily be accessed and leaked anonymously. The amount of information and the ease of leaking information is at an all time high. Current security safeguards, both from a capability and deployment perspective, have not keep pace with the evolving threat.

Information security defenses need to evolve

Information security defenses need to evolve to combat the authorized insider threat. We need to develop the analytical skills that will combine RBAC roles, data classification, SEIM (security event information monitoring) results, endpoint security events, etc., and develop standard 'data usage' activity profiles.

One way for security systems to evolve is through 'behavioral or anomaly' based data loss prevention security.

This approach could be similar to how we combat advanced persistent threats (APT), where low-level malware is detected and neutralized by analyzing how codes behave through multiple vectors as it traverses the network and the application layers. Anti-malware solution providers develop 'anomaly' based algorithms to detect and prevent malware infestations. A similar concept is needed to detect and prevent potential data leaks by authorized users.

The goal is to detect behavioral anomalies that would detect and prevent an authorized insider data leak. It should be noted that the implementation of many of these security defenses is still immature and limited in many organizations. For example, many organizations only have RBAC implemented for SOX applications; DLP (data loss protection) policies are very coarse such as prohibiting use of thumb drives. So along with evolving security defenses; it will be necessary that current defenses are sufficiently implemented.

As an example, assume there are 10 people who perform the same job and have the same access (or role) in an accounting department. 'Behavioral or anomaly' based security should detect if an authorized insider is remotely logged into the system off-hours, assessing and downloading the vendor payment files etc. It should show abnormal data usage anomaly compared to standard data usage profile.

In the Wikileaks example, someone should have detected that a private intelligence analyst, while authorized to access the documents, was accessing massive amounts of documents and copying them to a CD or DVR. One can argue that this authorized user had way too much access to information or that a DLP policy that did not allow writing to a CD or DVR could have addressed this situation but that is not addressing the root problem. Namely, that people need to be authorized to access information and the ability to perform functions like printing, emailing, info-sharing, etc. Draconian policies and procedures only work in situations where it is all or nothing and have little applicability to the real world. They also foster bad behaviors or lead both the good and the bad actor to use alternative methods to access data in order to circumvent hard controls.


The authorized insider threat will always exist. The risk will continue to increase as more information is digitize, storage medium increases, and new devices (e.g. iPads) and exchange mediums (e.g. social networks) are used.

Current security policies and procedures, access management like RBAC, access certification, data classification, security event monitoring, and data-loss prevention technologies are not sufficient to address the authorized insider threat as they are typically stovepiped in nature. Even when 'state of the art' practices and technologies such as RBAC, DLP, and SIEM are used, they are often times not deployed or implemented with the necessary depth to sufficiently track and monitor a disgruntled authorized user.

The orchestration of these processes and technologies combined with the necessary analytical resources to develop 'behavioral or anomaly' based information security capabilities, are needed to detect and prevent data leaks by authorized insiders.

Craig Shumard is retired CISO for CIGNA Corp. Serge Beaulieu, CISSP CISM, is a security consultant and retired head of Security Technology Planning and Roadmaps at CIGNA Corp.

Join the PC World newsletter!

Error: Please check your email address.

Tags securitywikileaksdata protectionprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?