Skip the navigation

WikiLeaks incidents stoke IT security angst

Lack of security controls and processes can make corporate IT vulnerable to the leaking of sensitive data to sites like WikiLeaks

December 3, 2010 06:00 AM ET

Computerworld - WikiLeaks' continued posting of classified U.S. Department of State cables, and the whistleblower Web site's revelation that it will soon post sensitive internal documents from a major U.S. bank, has stoked data security concerns among governments and large businesses around the world.

WikiLeaks has not disclosed how it obtained tens of thousands of State Department cables or the bank documents that it claims to hold.

However, a relatively low-level U.S. Army intelligence officer, charged in an earlier leak of classified documents to WikiLeaks, is suspected in leaking the State Department data to the site.

Private First Class Bradley E. Manning also claims to have illegally accessed and downloaded the State Department cables while stationed at a military base in Baghdad. Bradley was arrested earlier this year, after a former hacker he had confided in turned him into authorities.

In a security pro's online conversations with the ex-hacker, Adrian Lamo, details of which were published on earlier this year, Manning is alleged to have boasted about the "unprecedented access" he had to classified networks for up to 14 hours a day.

Manning allegedly claimed to have had Top Secret clearance to access SIPRNET, a classified network used by the Department of Defense and the State Department, and to the Joint Worldwide Intelligence Communications System used by the two agencies for Top Secret/Sensitive Compartmentalized Information.

Even with his top secret clearance, the apparent fact that Manning was so easily able to pull off one of the largest data leaks ever, indicates serious security problems, said Tim O'Pry, CTO at the Henssler Financial Group in Kennesaw, Ga.

O'Pry, a former U.S. Air Force cryptanalyst stationed at the National Security Agency, said that based on available information, "the systems simply were poorly designed to maintain and control the information."

Manning's access to a significant amount of information showed that access to the highly classified networks was not controlled on a need-to-know basis, he said.

For enterprise IT managers, the WikiLeaks disclosures highlight the importance of adopting a "trust, but verify" approach to information security, O'Pry said. "This doesn't mean you need to be paranoid or distrust your employees - just the opposite: trust, but verify. And, let them know you verify," he added.

The financial controls in place at Henssler Financial include segmenting and restricting access to information based on job roles. All data access and attempts to access are routinely logged and checked.

"When it comes to client information, we know who looked at it, when they looked at it, and if it was printed or copied," O'Pry said. Henssler also runs credit and background checks of all employees at least once per year to identify issues that could lead to potential problems, he added.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!