WikiLeaks is Doing the Security Profession a Favor

Tuesday, November 30, 2010

Contributed By:
Mark Gardner

I have spent the evening reading the figures and information disclosed in the first tranche of the WikiLeaks "cable gate" release.

It would be very easy for me to spend this blog post discussing the aforementioned figures and information. However, as an information security professional I am starting to think that WikiLeaks is actually positive for my chosen profession.

Before I continue and explain my thinking, I must point out that I think the actions of WikiLeaks are deplorable, morally questionable and above all else a danger to the World.

There are some things that must be kept private, even in this world of social media where sharing lots of information about oneself seems to be the norm. Some things are best left unsaid, are they not?

However, returning to my original point, WikiLeaks is making my job easier. Can you think of a better Security Awareness campaign than to have Security and unauthorized disclosure issues so widely reported on every news channel, in every news paper, across the web in it's entirety?

Suddenly those risks which you have been discussing and getting looked at in a funny way with regard to Database security, make sense. The 1.6GB of information was downloaded onto a RW CD containing a Lady Gaga album and distributed.

They were then passed to various news outlets via USB stick, another "tool" with huge risks attached but, I would suggest, risks that have never been so publicly exposed.

What it does highlight though, is the need for pragmatic, effective security controls to be in place, allegedly, these releases were only possibly because the Siprnet database security controls were relaxed to make the system as easy to use as possible.

Of the 251,297 "documents" 133,887 were either unclassified or were "marked" for official use only. Of the rest 15,662 were classified Secret.

In that instance I would question what they were doing on a networked database in the first place. The remaining 101,748 were classified as Confidential.

From this analysis, I would question the levels of marking and the protection required for these levels of classified documents.

Information classification was born in the military, for the system to be exposed in this manner is a cause for concern, from the security control perspective.

This was originally posted at www.markgardner.co.uk

Share This! |

Views:	2637
Categories:	General
Tags:	Databases Data Loss Prevention Security WikiLeaks Siprnet

Post Rating I Like this!

Comments:

James StClair Mark, well written article. While I agree for the most part, I'd add that it is more than InfoSec but true Data Loss Prevention (DLP). Regardless of whether secrets should remain secret, rules should effectively manage exactly how data, down to its basic elements, in stored, retrieved and used. This approach would improve the principles and methodology of classification altogether.

1291096060

Andrea Zapparoli Manzoni Mark, thank you for your article.

My first reaction to Wikileaks was that it is NOT making a favour to the profession, since it is a blatant demonstration that ICT Security fails miserably (at the highest level) and in fact doesn't work, in the real world.

I will meditate on your points and try to find a new perspective on this subject.

1291118890

Lee Mangold Mark - So many things went wrong here, it's hard to find a place to begin. DoD made a push for Net-Centric Diplomacy allowing the sharing of this information across the network. This isn't inherently a problem as SIPR is supposed to be used for things like this. The problem is that 1) Removable media was allowed in classified computing facilities, 2) no one detected this massive download, and 3) it's unclear whether this guy had a "need to know".

A clearance isn't enough to do anything...you must also have a need-to-know to access the data. How tightly this was controlled is another question. Secret data is maintained in DBs all over the place...it's how we store and share information. FOUO data is even less controlled...

1291127341

Mark Gardner Firstly thank you for your kind words and all valid points.

Andrea I felt the same as you did. However, things seem so bad and easily fixed that actually I think it's a positive because it's an opportunity to show how good our profession can be at not only solving the problem but preventing it,hopefully, from happening again.

James completely agree with every word!

Lee thanks for that insight. I think you show the depth of the problem in order to prevent a recurrence.

1291128188

Eli Talmor Following in Lee's comment:
The LEAK is inherently built-in into Net-Centric central depository of information . And this is not a DLP issue since one can take (many ) screenshots - with NO ONE AWARE OF THAT. Need to know - is the answer. The problem can be VASTLY reduced based on need to know approach FOR EVERY DATA FILE. I will post on that soon.

1291195608

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"Also, am I understanding this properly? Is this Eric Byres suggesting air gap security is a myth because of the fact that the network b..."

Protecting SCADA Systems with Air Gaps is a ... Marc Quibell on 05-22-2012

"I understand. Thanks for the clarification."

Facebook "Like" Button = Privacy Violation +... Didier Trarieux-Lumiere on 05-22-2012

"I have to wonder which Congressional leader will take ownership of this issue. If you leave it to party elders or POTUS it'll always be..."

Hard Power, Soft Power, and the Power of Dig... Ali-Reza Anghaie on 05-22-2012

"@Didier: the point is that a website that includes third-party content causes their visitor's browser to disclose that visit to that th..."

Facebook "Like" Button = Privacy Violation +... Matthijs R. Koot on 05-22-2012