Government and intelligence officials around the globe have been caught off guard and in many cases embarrassed and compromised by disclosures of documents on the Web site WikiLeaks.
For security and IT professionals, these leaks serve as an important wake-up call to improve policies, procedures and safeguards. Here are five key tips to help your government agency or business avoid being the source of the next Wikileak.
Related story – What SMBs can learn from WikiLeaks’ resilient network
I. Security Policies and Procedures.
Every government organization or enterprise must have policies in place to define who gets access to what information, and when. These policies and procedures must be actively maintained and updated and properly communicated. Then, the security policy can be administered by leveraging technology and putting the proper tools in place to secure, enforce, and mitigate risk to the organization.
In the October 2010 WikiLeaks case in involving some 400,000 U.S. military documents about the Iraq war, policy could have limited access to the systems that contained the sensitive information to those that had a “need to know.”
In highly sensitive information environments the policy should require strict management, monitoring and control of access only to people who have a legitimate need to know. Governance, Risk and Compliance (GRC) tools allow organizations to automate some aspects of this task by overlaying security policies and controls over corresponding data sources from switches, routers, security platforms, servers, end points and applications, for a real-time view of their state of compliance.
However, no policy can be 100 per cent effective, and many organizations will experience someone on the inside who has met the policy requirement, does have a legitimate need to know, but has illicit intentions. In these cases the security technology should provide the next layer of defense to meet these internal threats.
II. Implement Host-Based Security Solutions.
Host-based security solutions include tools that allow an organization to protect and control laptops and desktop computers. Examples would be anti-virus/anti-malware products and software that prevents a user from using a USB drive or writable CD drive on a computer on a classified network.
Essentially, host-based security protects and limits what users can do at workstations. Host-based controls can disable, for example, simultaneous wired and wireless network capability, which can act as an entry point for a hacker
Host-based security solutions can also be integrated with network access control (NAC) systems to create a first line of defense for systems that regularly go on and off of the network, such as laptops. If a laptop is infected with a virus, or misses an important security patch while disconnected from the organization’s network, the host-based security solutions, in conjunction with the NAC solutions, can assure that effected systems is quarantined, and cleaned of the virus, or receives the proper security patch before it is allowed onto the network.
III. Data Loss Prevention (DLP).
DLP toolsallow an organization to be aware of activity across the network. This includes monitoring what goes out of the network through e-mail, file sharing and via FTP. An organization can fine-tune the solution and have DLP watch the network for particular events, such as blocking e-mail that contains sourcecode or credit card or social security numbers.
IV. Traffic Profiling Tools.
These tools can look across the network at individual users in aggregate and see what type of sites are being visited, with a particular emphasis on any sites that enable file-sharing, such as Dropbox, Mozy or YouSendIt. Network administrators may not want or need to block such sites, but it is helpful to know, in real time, when a user accesses these sites and for what purpose.
Profiling tools can also detect subversive attempts to extract data from a network. Every device on a network is expected to act a certain way when communicating. The network traffic to and from a printer should looks like a printer. If the traffic-profiling tool detects a printer looking more like a Linux workstation, then someone may be trying to spoof the printers IP address for the purpose of exploiting a system of extracting data.
V. Log Management & Correlation.
Almost every activity on a network leaves a “breadcrumb trail” in the form of log entries — automated entries on the servicers and network devices that users interact with on a network. As a result, if an information leak does occur, logs will provide easier access to forensic information that can go back a few days or a few years. These tools can help determine the source of the leak more rapidly. Importantly, once the path that someone took to get data out of the network is identified, then new policies and procedures can be created to prevent a repeat occurrence.
When implemented in an enterprise environment, all of these individual solutions can be centrally managed and monitored. Most can be integrated with Security Incident and Event Management (SIEM) tools for a real-time “single pane of glass” view in the organization’s security environment. SIEM tools allow organizations to automatically correlate events based on event “signatures” — known combinations of events across multiple security platforms that have been know previously to constitute a breach, or attempted breach.
With experience, organizations can build their own signatures based on real or theorized threats in their own environment. Automated response to know events, such as persistent automated attacks — attacks from botnet programs, or other coordinated automated attacks — can allow an agency to move closer to a self-defending network.
Chris Knotts, is VP of technology and innovation at Force 3