A data challenge posed by WikiLeaks
WikiLeaks-type security incidents can be prevented, says V Balasubramanian
Media worldwide have been agog about the recent WikiLeaks incident. A good part of the coverage revolves around the what, why, who, where, when and how of the story.
It is clear that malicious insiders are either illegally accessing government documents or giving credentials to too many un-vetted people who then route them to the media.
Bradley Manning, a 22-year-old army intelligence analyst stationed in Iraq, is believed to have leaked the classified documents.
Manning reportedly had access to two classified networks owned by the US Department of Defense and State Department, and the Joint Worldwide Intelligence Communications System respectively.
'I would come in with music on a CD-RW, erase the music then write a compressed split file. No one suspected a thing and, odds are, they never will,' wrote Manning in a private chat – supposedly – with former hacker Adrian Lamo then leaked by him to Wired.com and the FBI.
How did Manning get access to such sensitive networks? That is where the problem starts! We can categorically assume that he should not have had the access.
As government agencies, military and other federal departments are increasingly using IT to help manage their activities and offer various services, information security has become a top concern.
Nowadays, many people in government agencies are telecommuting or working from home. This has resulted in proliferation of laptops and storage devices such as memory sticks. Sensitive information stored on such devices can easily get into the hands of malicious users.
It is cruel to suggest in passing that many insiders act with malicious intent – only a miniscule number do. But, through improper and insecure handling of sensitive data, well-intentioned users create room for security incidents.
The effect of cyber threats to private establishments may be limited to financial and reputation loss. Perhaps it might be worse in cases of corporate or industrial espionage.
However, security incidents in government agencies might jeopardise national security.
Nevertheless, just like private establishments, government agencies must also build public trust. And as government agencies embrace new technologies, emerging threats keep pace. The increasing adoption of cloud computing and virtualisation is also making enterprise security all the more difficult to achieve and highly important.
Achieving the highest level of information security is the obvious goal for enterprise and government agencies. But there are two main challenges.
External attacks Sensitive information and IT resources need to be exposed or shared with other departments, agencies and citizens. A large number of employees are required to access sensitive data and an ever increasing number of citizens turn to information technology to access business or government services.
Transparency in transactions being a hallmark of government functioning, many details are required to be exposed to the public. But government agencies, by their very nature, deal with an enormous amount of sensitive data and information.
Internal threats Disgruntled staff, naïve or greedy employees, tech-savvy contractors and sacked employees may misuse privileged access. The business and reputation of some of the world’s mightiest organisations, including many government agencies, have been shattered in the past by a handful of malicious insiders.
Traditionally, keylogger trojans, cross-site scripting and viruses have mostly been the external security attack channels.
However, of late, internal threats seem to be far more alarming and prevalent, as many reported security incidents have been caused by insiders having (whether authorised or unauthorised) privileged access to enterprise and government IT resources.
I believe that unauthorised access to IT resources by malicious insiders is the fastest growing security threat, and that this insider threat is growing at unprecedented rates.
While security devices, intrusion detection solutions and other applications help combat the external threats, effectively mitigating insider threats is a huge challenge and mandates a multi-pronged strategy.
How do internal threats develop?
In many of the reported cases of cyber-sabotage, misuse of privileged access to critical IT infrastructure and stolen identities have served as the ‘hacking channel’.
Lack of internal controls, access restrictions, centralised management, accountability, strong policies, and haphazard privileged password storage and management all contribute to making an organisation a potential paradise for malicious insiders.
Privileged passwords are the keys to the kingdom. They enable virtually unlimited access and full controls around IT resources such as servers, databases, network devices and IT applications.
Typically, government agencies have thousands of privileged passwords, the majority of which are used in shared environments. That means a group of administrators use the common privileged account to access the resource. In reality, the passwords are just left open to be managed by the group.
The privileged accounts are accessible to all the members of a team. The shared nature grants anonymity, which enables misuse without a trace, and as a result, privileged passwords remain in disorder.
It is becoming increasingly clear to me that improper management of privileged or administrative passwords remains at the root of a good number of security threats.
Sensitive passwords are stored in volatile sources such as text files, spread sheets, print-outs, home-grown tools or even in physical vaults. Many copies of the administrative passwords are circulated among the administrators. If the text file or spreadsheet containing the shared administrative passwords falls into the hands of a malicious user, data security is thrown to the winds.
There is rarely any internal control on password access or use. Administrators get access to the passwords of all the resources in the organisation. It is not uncommon to see a UNIX administration team having full access to Windows passwords, developers having full access to database passwords, and so on.
The passwords remain impersonal in the shared environment. Mistakes – accidental or intentional – may never be traced to individuals. There is generally no trace on who accessed what resources when. This creates a lack of accountability.
When agency staff or partners such as developers, database administrators, support personnel and contractors require privileged access purely on a temporary basis, they are generally supplied with the required passwords orally or by email. There is no process for revoking temporary access and resetting a password after the temporary usage, which leaves a big security hole.
It can be difficult to find out who has access to what resources. When someone leaves the organisation, changing all the privileged passwords of the enterprise is the only way to rule out any possible access or intrusion by that person in future.
The administrative passwords mostly remain unchanged for fear of inviting system lockout issues. Manually changing the passwords of thousands of resources would take 'man-years'.
Worse still, most resources are assigned the same, non-unique password for ease of coordination among administrators. So if an administrator leaves the organisation, he or she may be getting out with a copy of all the passwords. If an administrator leaves without revealing a privileged password that was changed by him, the device or application might of course become locked for some time.
Apart from privileged passwords, there are the application-to-application passwords that are hard-coded in scripts. These hard-coded passwords pose a significant security threat as malicious users getting access to the script could easily decipher the password and unleash hell.
Thus, administrative passwords are insecurely shared and lie scattered through the organisation, leaving little scope for any internal controls.
Many incidents preventable Not all security incidents and data breaches could be prevented or avoided. But the ones that happen due to lack of effective internal controls are indeed preventable.
Combatting sophisticated insider threats in government agencies mandates preventive steps and a multi-pronged strategy – controlling access to resources, enforcing security policies, adhering to best practices, monitoring events for real-time situational awareness, recording user sessions, detecting vulnerabilities, tracking changes, ensuring compliance to regulations, analysing actions, automated user provisioning and de-provisioning, and a host of other activities.
It is pertinent to quote here one of the best practice approaches suggested by CERT. Advocating the implementation of strict password and account management practices, CERT states:
'No matter how vigilant an organisation is in trying to prevent insider attacks, if their computer accounts can be compromised insiders have an opportunity to circumvent both manual and automated controls. Password and account management policies and practices should apply to employees, contractors, and business partners.
'They should ensure that all activity from any account is attributable to the person who performed it.'
You could, perhaps, automate the entire administrative access life cycle, enforcing best practice. Privileged Identity and Information Management (PIIM) apps are an alternative to traditional, inefficient and insecure password management processes.
What to do Administrative passwords can be stored in a centralised repository in encrypted form. Sensitive documents, videos and other digital data could be securely stored, like the passwords themselves.
Role-based, granular access restrictions can be enforced. Administrators and other users should get access only to the passwords and documents that are allotted to them, not all.
Passwords and documents can be selectively shared with others. Sharing passwords by word of mouth or through emails should be completely avoided.
Passwords can be automatically changed at periodic intervals assigning a strong, unique password to each resource.
For enhanced internal controls, administrators and other users may even be prevented from viewing the passwords in plain text. Instead, they could be directed to just click a URL to directly access the resource.
Users requiring temporary access can be directed to follow password request-release work flow, granting time-limited access.
All password access activities should be completely audited. It also helps the government agency meet regulatory requirements.
Real-time alerts on password actions help administrators continuously track and control the administrative passwords as can the use of SNMP traps and syslog messages.
Data Loss Prevention (DLP) software can also help, particularly where telecommuting and information storage on memory sticks and CDs are permitted.
V Balasubramanian is a senior analyst at Zoho