Wikileaks and weak links

Photo of an unlocked gate padlockThis post is about Wikileaks, without being about Wikileaks. We know the most recent Wikileaks release was an overwhelmingly large set of data, generated by a fairly low-ranking intelligence analyst, and contains potentially sensitive information. The aspects of the Wikileaks scandal that fascinate me, however, are the human and organizational factors affecting data security.

Why did Bradley Manning do it? He must have known he would be subject to a long prison sentence (at best), and made no efforts to hide his actions. Assuming he was acting rationally, the benefits he imagined from doing so outweighed the prospect of certain punishment. Manning must have evaluated the volume and nature of the data at his disposal – data owned by his organization, effectively the U.S. government – and chose to place his individual motivations above those of the organization to which he belonged.

His own Wikipedia page and various media reports describe Manning’s “disillusionment,” and some opinion pieces paint him as “disgruntled.”

Disgruntled at the age of 23?

This fact points to the causes of the leak: it’s a people problem, more than an information problem. This includes security clearances, i.e., how many eyes need to see the information, but the solution is not about security clearances. Safeguarding organizational data such as that shared in the Wikileaks event is ultimately a management issue, for the following reasons:

A change in employee behavior is a crucial signal to management. It would surprise me if Manning’s behavior changed overnight from unassuming analyst to data thief. A good manager should look for changes in employee behavior that signal a shift in attitude. Furthermore, a manager should ensure he has enough information to act on if restricting or revisiting information flows becomes necessary, particularly in the event that an employee’s risk profile changes.

Digital natives exhibit different workplace values than their older counterparts. At 23, Manning is a digital native. Individuals under the age of 30 have grown up with technology in a world where a sense of possession is poorly defined in digital terms. Digital natives have a different notion of right and wrong in sharing information than previous generations of workers, even when information is proprietary to their organizations. Generation Y is also less loyal to organizations, and expects authority figures to earn their respect, rather than commanding it automatically. (I realize the Army is a very special kind of organization; however, the military cannot claim to be modernizing for warfare in the Information Age and expect to preserve outdated management philosophies, particularly when recruiting overwhelmingly from the digital natives demographic.)

Technology itself distracts from the human issues. Security specialists discuss access protocols and authentication procedures, but focusing on such issues is like staring at the end of someone’s finger when she points to a mountain in the distance. Internal data leaks are a real threat, but they are also perpetrated by people. The Information Age is changing the relationship between people and organizations. Adding to the urgency of the problem, today’s technological capabilities allow people to share and act on information as quickly as they think to do so. When “think it – do it” is the norm, it is important for an organization’s management to communicate expectations about information use and dissemination and to assess and monitor, in an honest way, the risks associated with information flows.

The landscape of information behavior is undergoing a major shift, and technology is merely an enabler of behavior. An individual’s ability to act impulsively, and with powerful tools that can execute enormously impactful actions digitally, should prompt organizations to manage closely the human aspects of internal security threats. It takes one weak link in an organization – unmonitored, disillusioned – to commit a destructive act with sensitive data. Although individuals should be empowered to make ethical, informed decisions when acting on behalf of their organizations, management culture must continue to adapt to the new Information Age, and its digital natives.

Photo by -Tripp-. Used in accordance with a Creative Commons 2.0 license.

Too many TLA’s

I had a teacher once say that IT is riddled with TLA’s (Three Letter Acronyms).  He thought it was hilarious.  It wasn’t until I started really looking into IT and security especially that I realized he was right.  In the realm of technology there are some acronyms that most people know HTTP, IP, and PC and so on, but when you add Security it turns into something you would expect in your alphabet soup.  PCI-DSS, SOX, FISMA, ISO, HIPAA, HITECH, UDP, TCP, CERT, IR, XSS, CSRF, PWN, IPSEC, SSCADA, and the list goes on.  I am sure that you could guess some of them but the first six are probably the most debated.  Payment Card Industry – Digital Security Standards (PCI-DSS), Sarbanes-Oxley (SOX), Federal Information Security Management Act (FISMA), International Organization for Standardization (ISO, don’t ask it doesn’t make sense to me either), Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health are some of the security standards that businesses have to worry about.

Aside from these are any internal audits that companies have to pass.  Many times all this adds up to one thing, confusion.  Take a company that handles their employee’s healthcare records as well as having a federal contract while being a publicly traded company.  This company has to deal with parts of HIPAA and HITECH as well as FISMA and SOX.  You would think that these standards would correlate and go hand in hand but they were all developed independently so they have different requirements.  This is where Security Professionals are the most challenged.  Whether they are securing their network or auditing a network using these standards, there is a challenge.

Most often what happens is that a company that is trying to meet the requirements of these standards does one of two things, they either do the bare minimum to meet the requirements right before the deadline or they essential put everything behind Security and do things that will make the company more secure from their point of view but do so at the cost of usability.  Now I have written about how usability and security need to go hand in hand so that isn’t the angle I want to take right now.

My main focus is that when companies think they have to choose between security and usability it creates not only a hard time for users but it creates a situation where users do things in order to  get  around the security measures, thereby creating security holes that weren’t accounted for.  Such examples of this are writing down passwords and usernames, saving usernames and passwords on the browsers, saving documents on a USB drive, and trusting links that may not be legit.  While this can be solved with good user training there is no need to put that burden on the users, especially when if a company is compromised because of the workarounds the company still ends up paying the fine which can amount to millions of dollars.

Basically my suggestion is for all companies to stop looking at security servers and networks and start securing Information.  That way it leads to looking at the data they are securing and not what is holding it.  This might force them to walk through what users are going to do once their applications and network is set up and working.  Hopefully this will allow them to start truly incorporating both usability and security into their business.

As a side note, if you are interested in the true cost of a security breach there is a research project that I was a part of a few years ago that was presented at a conference.  The video is kind of poor quality but the information is valid.  I didn’t present it but did work on the external costs, those aside from any possible fine that is part of a security breach. http://vimeo.com/5384048


Information Security Improving with time?

   I ran across two interesting articles today on a website called bankinfosecurity.com.  One was an Interactive Timeline to Breaches at US Financial Institutions so far this year.  When I came across this article I wondered how it compared to a similar timeline for 2009.    The biggest breach in 2009 for a financial institution was the Heartland Payment breach in January of last year where 130 million records were lost, while the  biggest number of records lost so far this year, is 1.2 million.  If you take out the top two breaches, then it was interesting to see that January and February had about the same number of breaches but it looks like in terms of number of records lost 2010 wins.

    This brings to mind a couple of questions.  First, with security becoming more recognized why are breaches happening at the same rate?  This could be for multiple reasons, the first of which being that the hackers are getting more advanced.  While I don’t doubt this I believe the answer is much simpler.  If you talk to any security professional they will say the biggest threat to any company is people or Social Engineering.  You can have the most advanced security controls in but if people write their password on sticky notes and put them on their desk or computer then no security controls will ever help. 

     Now I am not saying people are the downfall of security and you should never trust your employees, but it is something that needs to be considered in any business.  Businesses need to educate people on not only basic security practices but why these practices are important.  Train people not only how to create a secure password but how to recognize someone trying to talk their way into a business.  Social Engineering causes more problems for companies then someone hacking their way into a companies secure servers because it is easier.  With just a phone call you can try to get someone to reset a password on an account and therefore give you access into a system.  If you want to learn more about social engineering Kevin Mitnick has a great book out called The Art of Deception: Controlling the Human Element of Security.  

   Now I am not the most experienced security person so any thoughts or suggestions are appreciated.  What do you guys think?  If you are in the security field, how do you combat this problem and if you aren’t in security how do you think about being trained on basic security practices by your company at regular intervals?  Do you think it helps? Why or why not?