Governance & Risk Management , Insider Threat
Lessons Not Learned from WikiLeaksMany Ignore WikiLeaks-Like Threats, Infosec Expert Eric Cole Says
"With the right people, process and technology, you could be able to put a system together that would greatly reduce the impact these types of attacks have," Eric Cole, a SANS Institute faculty fellow and founder of the network security consultancy Secure Anchor Consulting, says in an interview with Information Security Media Group (transcript below).
Cole says one of the biggest failures deals with how organizations control and manage access to data. Individuals should have access to data for a limited time. "If you look at just about everything else we do, your driver's license has an expiration date; your passport has an expiration date; so when you are given access to sensitive data, it is typically infinite and there no expiration," he says. By placing time constraints on entree to sensitive data, Cole says, the burden shifts to the user from the data owner on justifying access.
Search and indexing technologies also can help limit access to data and reduce the danger of improver exposure. Each document would be indexed by page, paragraph or sentence. Users could conduct a search without getting details or access to the document. "You can get the details you need on a specific area, but the bigger risk of getting more access than what is required to do your job is reduced," Cole says. "At the end of the day ... we see insider threat and information leakage (when) the person needed some of the information in the document but not the entire document, but because most organizations don't know to hand it off in a more granular fashion, it is an all or nothing, and then they end up getting this repository with a lot more information than really is required."
Another approach to safeguard data that doesn't require new technology is to limit access to sensitive information from a thin client or virtual machine; that means no local storage on users' own devices. Users Cole says, "could have a profile and they could have a directory on the server where they can save their searches, but everything is stored and controlled at the server level and nothing is put at the client level, and then all of the sudden, once again, you are taking away yet another avenue of exploitation from that user."
In the interview, conducted by Information Security Media Group's Eric Chabrow, Cole also:
- Assesses how the WikiLeaks breach occurred,
- Laments that most organizations won't learn the lesson from the WikiLeaks episode and
- Poses three critical questions organizations should answer to assess their vulnerabilities.
Cole is an industry-recognized security expert and has authored several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible and Insider Threat. (with Sandra Ring). He is an inventor who holds more than 20 patents. Cole serves on the Commission on Cybersecurity for the 44th President and is actively involved with the SANS Technology Institute and SANS working with students, teaching and maintaining and developing courseware.
What Went Wrong?
ERIC CHABROW: From an IT security perspective, what went wrong? How preventable was the WikiLeaks breach?
ERIC COLE: That's a very interesting question because typically when we look at security we always look at access control and the idea of the insider threat is people can access information that they need to perform their jobs, but they are using it for other purposes in which it wasn't intended.
And in this particular case, it is interesting because first, I can't imagine, based on the amount of information that was leaked out that one person would need access to all of that data in order to perform their job function. I would immediately think that there was clearly a problem in terms of controlling, managing and limiting access within the enterprise.
While that could never be prevented, that could have been reduced greatly by better controlling and managing who can store what and in which media. But the other important thing gets down to the data loss prevention controls and the classification.
Based on the fact that this information was supposed to be classified, you would think that if they had some monitoring in place they would have once again either been able to be detected or prevented very quickly and the amount of damage would be reduced. Based on the shear size of the leakage, it makes me think that there is minimal detection and minimal outbound controls in place that could have either reduced or greatly prevented the damage.
CHABROW: I wonder in such a large bureaucracy or organization as the federal government is, the responsibility of limiting people access to specific information - I mean this is a situation that if the allegations are to be believed that you had someone in the Army getting access to State Department documents. What kind of challenge does that present in a sense of who governs who gets access?
COLE: That brings up the whole issue of data portability. You always hear different organizations that are being accused of not sharing information with other government entities or other offices that it presents an interesting problem because if you had data at one organizational unit, they could have the best access controls, they could have the best audited, they could have the best manageability of that information, but if they allow one authorized person to be able to copy that information, they can copy it and put it on a different government entity's server and now, in essence, be the owner of that data and be able to create their own access lists, create their own permissions and do whatever they want.
This creates a huge problem because now how do you go in and limit distribution without going in and prohibiting the function. This is where a lot of this new technology is coming into play, which is when you go and view and read information without being able to actually download, save a local copy or do anything with the data, and it brings up an interesting concept because if you could do that, a lot of these problems and a lot of the complexities would go away.
CHABROW: So the technology exists to do that?
COLE: Some of it exists in commercial products and some of it is how you would set up the data, but the answer is yes, with the right people, process and technology you could be able to put a system together that would greatly reduce the impact these types of attacks have.
The Biggest Failure
CHABROW: When you have information like this, should there be a single owner?
COLE: Well ultimately, with any piece of information, you should clearly define who is responsible for the protection of that data. You should then clearly have guidelines and policies of what is required in order for somebody to get access to the information and how long should they have access to that data.
In my opinion, probably one of the biggest failures in how we control and manage access is the fact that a lot of access has no expiration. If you look at just about everything else we do, your driver's license has an expiration date; your passport has an expiration date; so when you are given access to sensitive data, it is typically infinite and there no expiration.
What if we went in and every time you were given access to the data you were only given that access for 10 day or 15 days; there was an expiration on it and then if you still needed the information, you would then request a new approval for it and have to be able to be reauthorized to get access. Now what you are doing is you are shifting the burden on the user, which is where it should be, as opposed to this data owner that is too busy and too over-tasked to really track and recognize other people really do or don't need it over a long period of time.
CHABROW: A lot of the systems developed over the past two years in government and as a result of the idea that different agencies need to share information after the 9/11 attacks; before then everything was in silos and people didn't know what other agencies were doing. That sounds good, but then you have the problem that we just saw with the WikiLeaks.
A user of information doesn't necessarily know what other agencies have and which could be very valuable for them to do their jobs. How does this play into this whole area of gaining access to information that could be critical, but then again protecting it from people who shouldn't be getting it?
COLE: That is at least a challenge because one of the phrases we use is, "Anything that could be used for good and be used for evil. So, on the one hand, you want the information to be accessible to a large number of people, you want high-end correlation of data and you want high-end details to be obtained, but on the other hand you want to reduce the risk of information being leaked out.
Once again, lots of different strategies where there are actually searching techniques where you can go in and find out information about a source without getting the details, or without getting the actual document. The idea now is instead of going in and letting somebody have full access to a 40-page document, when they might only need two of the 40 pages, what if we went in and actually did a better job indexing it where now you are indexing it at a more granular level. You are indexing at a paragraph or a page level so that now you are not requesting documents, you are requesting sentences or paragraphs. Now, now all of the sudden, you can get the details you need on a specific area but the bigger risk of getting more access than what is required to do your job is reduced.
At the end of the day, a lot of these problems that we see insider threat and information leakage, usually what occurs, and my guess is it would be true in this situation, the person needed some of the information in the document but not the entire document, but because most organizations don't know to hand it off in a more granular fashion, it is an all or nothing, and then they end up getting this repository with a lot more information than really is required.
Thin Client, Virtualization Reduce Risks
CHABROW: Would new tools need to be developed to automate this process, or can this process be automated?
COLE: If you think about the idea of having to go in and index everything at a sentence or paragraph level, it is a huge amount of work. The good part is, most of it can be done from an automated perspective. Now, there would be some costs in terms of the warehousing of this information, but you could argue that if the information is in electronic form, whether you are storing it as a single paragraph or as an entire document, it really takes up the same amount of space. So it is really the indexing form a high-end search engine to be able to build a meta- database to be able to find and access that particular data.
The other important thing is we have to better control that information. Right now today, all of the information is on servers; we have strict access control lists on the server but if you can get one person to copy that data who is authorized to their laptop, all of the access controls now are completely bypassed and they can give it out to anyone they want.
What if every time you are allowing somebody to access that sensitive information they had to do it from a thin client or a virtual machine? Anything they access could not be stored locally long-term; it would have to be maintained on the server. They could have a profile and they could have a directory on the server where they can save their searches, but everything is stored and controlled at the server level and nothing is put at the client level, and then all of the sudden once again you are taking away yet another avenue of exploitation from that user.
CHABROW: Obviously, at some point people would need to somehow store it; I mean the president of the United States isn't going to be working on a thin client, would he?
COLE: It depends on how transparent you make it. If you have the ability to open, view, access, store and read information, whether it is on your local hard drive or whether it is remote across the network, that really doesn't matter, and I don't think the president would care, it is all about can he get access to the information, when, where and how he needs it. And, if you look at all of the different communication mediums we have now between wireless, satellite and wired networks in almost every location, someone is always connected to a network; we can even do it at 40,000 feet now in airplanes and be able to have full access to the internet. As this access anywhere continues, I think you can do it in a way where it is completely transparent to the person and they just are not storing anything on a local portable media that has a greater risk of exposure and compromise.
3 Critical Questions
CHABROW: Any other takeaways you would like to share?
COLE: Probably the big takeaway is, and I know when I say it sounds obvious, but we are amazed at how many organizations can't answer these simple questions. If you really want to have good security, you have to remember that especially when dealing with the insider threat, it is not about firewalls, IP addresses or technology. What it all comes down to is your data, and I would urge you - can you answer three questions.
- What is your critical data?
- What business processes utilize that critical data?
- And, on what servers does that critical data reside?
CHABROW: Do you think people have learn the lesson of the WikiLeaks or do you think this is going to be a struggle for many organizations in the years to come?
COLE: I definitely think some folks have learned a lesson, but unfortunately in a lot of cases there is a small percentage of people though who they may see harm to others, they don't want the harm to them and they will learn from that activity. However, a large percentage of folks we found, until they personally suffer pain, they don't think it is something that can happen to them.
Unfortunately, I think there will be a large percentage of folks who will look at that, shake their heads and think how could this have happened, but then in the next sentence they say this can't happen to us. What everyone needs to realize is it absolutely, positively can happen to you. The question I would ask is: If there was somebody in your organization who is accessing information or more information than they should, if they were putting it on USB or other mechanisms and leaking it out of your organization, how would you know?
If the answer to that question is that you wouldn't, then you have to realize that you could have just put your name instead of the government's and the whole WikiLeaks thing could now be focused on your organization and all the issues you have.