The recent military and U.S. State Department Wikileaks fiasco epitomizes a key challenge to data security and privacy today: the authorized insider threat.
Massive amounts of secret documents: 250,000 embassy cables, 91,000 documents relating to the Afghanistan war, and almost 400,000 documents relating to the Iraq war, were taken and leaked to Wikileaks. And this may just be the tip of the iceberg--Wikileaks founder Julian Assange reportedly has an encrypted 1.4 gigabyte 'insurance' file that will be decrypted and leaked if he dies.
All this information came from 'authorized users'. Allegedly, a low-level intelligence analyst, an Army private no less, had access and downloaded all the Iraq and Afghanistan war documents to CDs or DVDs. He may also be responsible for the State Department leak.
The authorized insider threat is not unique to the government or the military. All organizations are susceptible--virtually any organization that has sensitive business information such as earnings releases, merger and acquisition plans, strategic plans, attorney/client documents, personal identifiable information, sensitive internal emails, et cetera, is at risk. Notably, Wikileaks has said that their next target for posting whistle-blowing documents will be a large US financial institution.
Moreover, not all leaked information has to be sensitive to be damaging. Damage may occur from leaked intellectual property, or embarrassing things such as blunt emails that can be taken out of context, or internal debates on controversial issues that are not meant for public consumption.
Even if you know who has access to what, can an organization know what their employees did, what documents they read, printed, or copied?
Why organizations are at risk
Organizations are at risk because they have both sensitive information and people who have authorized access to it. Even assuming that access to sensitive information is adequately protected, organizations are still at risk, because a determined disgruntled or uninformed authorized user can still find ways to steal or lose information.
The challenge is to evolve the layers of information security defenses to reduce that exposure.
We know that the government and the military have the essential security safeguards in place. They classify their information, restrict access to it using role-based or other discretionary access controls, have policies and procedures to properly handle classified information, and have network technical safeguards--to name a few. Yet a massive leak still occurred.
Why weren't these massive leaks, at a minimum, detected, and, optimally, prevented? The simple reason is that information security practices and tools have not kept pace with the threat.
This is because policies and procedures, data classification, RBAC (role-based access control) or other discretionary access controls (see note below), data loss protection, event monitoring, etc., are not in of themselves sufficient. While they reduce the exposure to some degree, they are too imprecise to effectively address the authorized insider threat.
Leaking sensitive information is not new. Many high profile leaks have occurred in the past, including, the Pentagon papers during the Vietnam War, Enron financial dealings, and Deep Throat in the Watergate case.
What is new is that a tremendous amount of information can easily be accessed and leaked anonymously. The amount of information and the ease of leaking information is at an all time high. Current security safeguards, both from a capability and deployment perspective, have not keep pace with the evolving threat.
Information security defenses need to evolve
Information security defenses need to evolve to combat the authorized insider threat. We need to develop the analytical skills that will combine RBAC roles, data classification, SEIM (security event information monitoring) results, endpoint security events, etc., and develop standard 'data usage' activity profiles.
One way for security systems to evolve is through 'behavioral or anomaly' based data loss prevention security.
This approach could be similar to how we combat advanced persistent threats (APT), where low-level malware is detected and neutralized by analyzing how codes behave through multiple vectors as it traverses the network and the application layers. Anti-malware solution providers develop 'anomaly' based algorithms to detect and prevent malware infestations. A similar concept is needed to detect and prevent potential data leaks by authorized users.
The goal is to detect behavioral anomalies that would detect and prevent an authorized insider data leak. It should be noted that the implementation of many of these security defenses is still immature and limited in many organizations. For example, many organizations only have RBAC implemented for SOX applications; DLP (data loss protection) policies are very coarse such as prohibiting use of thumb drives. So along with evolving security defenses; it will be necessary that current defenses are sufficiently implemented.
As an example, assume there are 10 people who perform the same job and have the same access (or role) in an accounting department. 'Behavioral or anomaly' based security should detect if an authorized insider is remotely logged into the system off-hours, assessing and downloading the vendor payment files etc. It should show abnormal data usage anomaly compared to standard data usage profile.
In the Wikileaks example, someone should have detected that a private intelligence analyst, while authorized to access the documents, was accessing massive amounts of documents and copying them to a CD or DVR. One can argue that this authorized user had way too much access to information or that a DLP policy that did not allow writing to a CD or DVR could have addressed this situation but that is not addressing the root problem. Namely, that people need to be authorized to access information and the ability to perform functions like printing, emailing, info-sharing, etc. Draconian policies and procedures only work in situations where it is all or nothing and have little applicability to the real world. They also foster bad behaviors or lead both the good and the bad actor to use alternative methods to access data in order to circumvent hard controls.
The authorized insider threat will always exist. The risk will continue to increase as more information is digitize, storage medium increases, and new devices (e.g. iPads) and exchange mediums (e.g. social networks) are used.
Current security policies and procedures, access management like RBAC, access certification, data classification, security event monitoring, and data-loss prevention technologies are not sufficient to address the authorized insider threat as they are typically stovepiped in nature. Even when 'state of the art' practices and technologies such as RBAC, DLP, and SIEM are used, they are often times not deployed or implemented with the necessary depth to sufficiently track and monitor a disgruntled authorized user.
The orchestration of these processes and technologies combined with the necessary analytical resources to develop 'behavioral or anomaly' based information security capabilities, are needed to detect and prevent data leaks by authorized insiders.
Craig Shumard is retired CISO for CIGNA Corp. Serge Beaulieu, CISSP CISM, is a security consultant and retired head of Security Technology Planning and Roadmaps at CIGNA Corp.