WikiLeaks incidents stoke IT security angst
Lack of security controls and processes can make corporate IT vulnerable to the leaking of sensitive data to sites like WikiLeaks
Computerworld - WikiLeaks' continued posting of classified U.S. Department of State cables, and the whistleblower Web site's revelation that it will soon post sensitive internal documents from a major U.S. bank, has stoked data security concerns among governments and large businesses around the world.
WikiLeaks has not disclosed how it obtained tens of thousands of State Department cables or the bank documents that it claims to hold.
However, a relatively low-level U.S. Army intelligence officer, charged in an earlier leak of classified documents to WikiLeaks, is suspected in leaking the State Department data to the site.
Private First Class Bradley E. Manning also claims to have illegally accessed and downloaded the State Department cables while stationed at a military base in Baghdad. Bradley was arrested earlier this year, after a former hacker he had confided in turned him into authorities.
In a security pro's online conversations with the ex-hacker, Adrian Lamo, details of which were published on Wired.com earlier this year, Manning is alleged to have boasted about the "unprecedented access" he had to classified networks for up to 14 hours a day.
Manning allegedly claimed to have had Top Secret clearance to access SIPRNET, a classified network used by the Department of Defense and the State Department, and to the Joint Worldwide Intelligence Communications System used by the two agencies for Top Secret/Sensitive Compartmentalized Information.
Even with his top secret clearance, the apparent fact that Manning was so easily able to pull off one of the largest data leaks ever, indicates serious security problems, said Tim O'Pry, CTO at the Henssler Financial Group in Kennesaw, Ga.
O'Pry, a former U.S. Air Force cryptanalyst stationed at the National Security Agency, said that based on available information, "the systems simply were poorly designed to maintain and control the information."
Manning's access to a significant amount of information showed that access to the highly classified networks was not controlled on a need-to-know basis, he said.
For enterprise IT managers, the WikiLeaks disclosures highlight the importance of adopting a "trust, but verify" approach to information security, O'Pry said. "This doesn't mean you need to be paranoid or distrust your employees - just the opposite: trust, but verify. And, let them know you verify," he added.
The financial controls in place at Henssler Financial include segmenting and restricting access to information based on job roles. All data access and attempts to access are routinely logged and checked.
"When it comes to client information, we know who looked at it, when they looked at it, and if it was printed or copied," O'Pry said. Henssler also runs credit and background checks of all employees at least once per year to identify issues that could lead to potential problems, he added.
- Teen nabbed in Heartbleed attack against Canadian tax site
- Heartbleed bug can expose private server encryption keys
- FTC can sue companies hit with data breaches, court says
- 5-year-old hacks Xbox, now he's a Microsoft 'security researcher'
- State AGs probe Experian subsidiary's data breach
- NSA sniffing prompts Yahoo to encrypt traffic between its data centers
- Banks withdraw data breach claim against Target
- Bank abandons place in class-action suit against Target, Trustwave
- Banks' suit in Target breach a 'wake-up call' for companies hiring PCI auditors
- Gameover malware takes aim at Monster.com and CareerBuilder.com
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts