WikiLeaks incidents stoke IT security angst
Lack of security controls and processes can make corporate IT vulnerable to the leaking of sensitive data to sites like WikiLeaks
Computerworld - WikiLeaks' continued posting of classified U.S. Department of State cables, and the whistleblower Web site's revelation that it will soon post sensitive internal documents from a major U.S. bank, has stoked data security concerns among governments and large businesses around the world.
WikiLeaks has not disclosed how it obtained tens of thousands of State Department cables or the bank documents that it claims to hold.
However, a relatively low-level U.S. Army intelligence officer, charged in an earlier leak of classified documents to WikiLeaks, is suspected in leaking the State Department data to the site.
Private First Class Bradley E. Manning also claims to have illegally accessed and downloaded the State Department cables while stationed at a military base in Baghdad. Bradley was arrested earlier this year, after a former hacker he had confided in turned him into authorities.
In a security pro's online conversations with the ex-hacker, Adrian Lamo, details of which were published on Wired.com earlier this year, Manning is alleged to have boasted about the "unprecedented access" he had to classified networks for up to 14 hours a day.
Manning allegedly claimed to have had Top Secret clearance to access SIPRNET, a classified network used by the Department of Defense and the State Department, and to the Joint Worldwide Intelligence Communications System used by the two agencies for Top Secret/Sensitive Compartmentalized Information.
Even with his top secret clearance, the apparent fact that Manning was so easily able to pull off one of the largest data leaks ever, indicates serious security problems, said Tim O'Pry, CTO at the Henssler Financial Group in Kennesaw, Ga.
O'Pry, a former U.S. Air Force cryptanalyst stationed at the National Security Agency, said that based on available information, "the systems simply were poorly designed to maintain and control the information."
Manning's access to a significant amount of information showed that access to the highly classified networks was not controlled on a need-to-know basis, he said.
For enterprise IT managers, the WikiLeaks disclosures highlight the importance of adopting a "trust, but verify" approach to information security, O'Pry said. "This doesn't mean you need to be paranoid or distrust your employees - just the opposite: trust, but verify. And, let them know you verify," he added.
The financial controls in place at Henssler Financial include segmenting and restricting access to information based on job roles. All data access and attempts to access are routinely logged and checked.
"When it comes to client information, we know who looked at it, when they looked at it, and if it was printed or copied," O'Pry said. Henssler also runs credit and background checks of all employees at least once per year to identify issues that could lead to potential problems, he added.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts