WikiLeaks incidents stoke IT security angst
Lack of security controls and processes can make corporate IT vulnerable to the leaking of sensitive data to sites like WikiLeaks
Computerworld - WikiLeaks' continued posting of classified U.S. Department of State cables, and the whistleblower Web site's revelation that it will soon post sensitive internal documents from a major U.S. bank, has stoked data security concerns among governments and large businesses around the world.
WikiLeaks has not disclosed how it obtained tens of thousands of State Department cables or the bank documents that it claims to hold.
However, a relatively low-level U.S. Army intelligence officer, charged in an earlier leak of classified documents to WikiLeaks, is suspected in leaking the State Department data to the site.
Private First Class Bradley E. Manning also claims to have illegally accessed and downloaded the State Department cables while stationed at a military base in Baghdad. Bradley was arrested earlier this year, after a former hacker he had confided in turned him into authorities.
In a security pro's online conversations with the ex-hacker, Adrian Lamo, details of which were published on Wired.com earlier this year, Manning is alleged to have boasted about the "unprecedented access" he had to classified networks for up to 14 hours a day.
Manning allegedly claimed to have had Top Secret clearance to access SIPRNET, a classified network used by the Department of Defense and the State Department, and to the Joint Worldwide Intelligence Communications System used by the two agencies for Top Secret/Sensitive Compartmentalized Information.
Even with his top secret clearance, the apparent fact that Manning was so easily able to pull off one of the largest data leaks ever, indicates serious security problems, said Tim O'Pry, CTO at the Henssler Financial Group in Kennesaw, Ga.
O'Pry, a former U.S. Air Force cryptanalyst stationed at the National Security Agency, said that based on available information, "the systems simply were poorly designed to maintain and control the information."
Manning's access to a significant amount of information showed that access to the highly classified networks was not controlled on a need-to-know basis, he said.
For enterprise IT managers, the WikiLeaks disclosures highlight the importance of adopting a "trust, but verify" approach to information security, O'Pry said. "This doesn't mean you need to be paranoid or distrust your employees - just the opposite: trust, but verify. And, let them know you verify," he added.
The financial controls in place at Henssler Financial include segmenting and restricting access to information based on job roles. All data access and attempts to access are routinely logged and checked.
"When it comes to client information, we know who looked at it, when they looked at it, and if it was printed or copied," O'Pry said. Henssler also runs credit and background checks of all employees at least once per year to identify issues that could lead to potential problems, he added.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!