Wikileaks’ CIA dump is the biggest secret cache released so far. It’s embarrassing to the CIA. It undermines our intelligence efforts. And it didn’t need to happen.
The sad fact is that the world’s computers are not configured securely enough to match the confidentiality of the data they are protecting. As a society we allow our computers to languish in a state that almost invites attackers to access them—even at the CIA, apparently.
That may finally be changing, though remediation has been slow to roll out. In my view, the tipping point was the Sony hack, which was so embarrassing and costly that it scared execs in a way that the Target, Home Depot, and Office of Management and Budget hacks did not.
Whatever the cause, I see new levels of interest in serious security solutions. Data analytics is coming on strong, replacing gut feelings in choosing protective measures. Cloud-stored event detection is offered by multiple companies. Passwords are finally beginning to be phased out. More cybercriminals are being identified and arrested than ever before.
For once, the good guys are getting traction—and those familiar with my generally pessimistic take on security know I don’t say that lightly. To join in this positive development, try this handy hierarchy of countermeasures. CIA, are you listening?
If this isn’t already your mantra, it should be. “Assume breach” means you should think about the security defense you would deploy if your environment already had an advanced persistent threat (APT) you couldn’t get rid of. What would you do differently? First and foremost, your perimeter defenses aren’t going to help. If you use firewalls and intrusion detection systems, they need to be internal, on all your mission-critical hosts. How would you implement event logging and detection differently if a bad guy was inside your network 24/7? What data would you encrypt? How could you detect APT? What would your new normal look like?
The Wikileaks CIA data trove is known as “Vault 7.” It’s massive. It contains more than 8,000 files—and Julian Assange says that’s only part of the haul. If the CIA was monitoring data download volume, it could have detected it, especially if it had shown a new download pattern (either in size or location). Plenty of computer security tools monitor downloads. You’d think after the NSA and the Chelsea Manning event, this would be at the top of every intelligence agency’s list.
Data-download monitoring tools aren’t new. They’ve been around for more than a decade. When I worked at a large hotel company 12 years ago, we used monitoring software to catch a senior executive downloading our entire customer database shortly before he left for a job with a competitor. In fact, the first network I ever worked with back in 1987, Novell NetWare ELS Level II, had a main screen that would display each logged-in user’s data-download history. If your company lacks this capability, isn’t it time to add it?
Disallow writing to removable media
Chelsea Manning, perpetrator of what is still considered the largest leak of classified information in U.S. history, supposedly copied data to a fake Madonna CD. Why was a person accessing classified information allowed to write data to removable media in the first place? You need to control the ability of people with access confidential data to copy stuff, either locally to removable media or over the internet. Nearly every computer security vendor and most operating systems enable you to control the ability to write to removable media devices.
Use two-factor authentication
If you don’t have two-factor authentication (2FA) in your environment, it’s time to get it. 2FA won’t solve all your company’s hacking ills, but it will immediately cut out a huge swath of them. If you require 2FA to access all company-related sites and data, then your employees can’t be phished out of their logon credentials. They can’t use the same passwords on your company’s network and unrelated sites. And equally as important, your employees will love you because long, complex, and frequently changing passwords are replaced with four-to-six-digit PINs that change only once a year, if at all. It’s a win-win!
Set up a secure admin workstation
All administrators should be forced to perform their administrative duties on a secure admin workstation (SAW), which is a locked-down computer that can run only pre-approved software and cannot access the internet. In my nearly 30-year computer security career, I’ve consulted at only one company that seemed like it could not be broken into at will. That company used SAWs—10 years ago. Microsoft has probably done more work and produced more public documentation in this area than any other company.
When in doubt, encrypt
Data protection should follow information regardless of where it resides. If a bad guy steals data or downloads it to removable media, it should remain encrypted—and accessible only by a company’s authorized assets and devices. Perimeter firewalls never worked. Take the opposite tack and put a “little firewall” in the form of encryption around every bit of valuable data. Yes, this increases overhead, but it’s worth it.
The CIA data breach didn’t need to happen. Someone messed up. Someone is responsible for one of the world’s most embarrassing data exfiltrations and intelligence setbacks in recorded history. Whether it was a trusted insider or nation-state attacker, the violation should have been prevented—or at least detected and mitigated at the earliest notice.
It all starts with a serious information protection policy instead of half-implemented, lukewarm “best efforts.” We all need to assume breach and think about how we should treat our managed devices based on that.