This series on data security is commissioned by IBM. Read more about building a smarter planet on the IBM A Smarter Planet Blog.
The furor over the latest in a series of insider data breaches – which is how most believe Wikileaks normally obtains its information — has left security professionals scratching their heads over how to protect their own data. How can they do it, if the U.S. government can’t?
While Wikileaks isn’t disclosing exactly how it obtained the information, details have emerged in the press about the likely scenario for how the cables – and loads of other documents Wikileaks has published – got out.
What is shows us is what NOT to do if you want to protect your precious data from falling into the wrong hands.
The likely suspect for leaking the information – Army Private First Class Bradley Manning – is already in custody for allegedly leaking other classified documents to Wikileaks. The Department of defence arrested the military intelligence analyst in June; he was turned in by a hacker to whom he’d confessed his actions.
According to Wired and other published reports, Manning downloaded documents from two networks containing top-secret data: SIPRNET, a classified network used by the Department of defence and the State Department, and the Joint Worldwide Intelligence Communications System, which is used by the two agencies for top secret and sensitive information. He boasted to his hacker buddy that at one point he had uninterrupted access to the networks for 14 hours, during which time he was able to download the documents. Manning allegedly transferred them to an external storage device and handed them over to Wikileaks founder Julian Assange.
By allowing this kind of access to top-secret data, the DoD has ignored some of the most elementary rules of data access.
- For one, they allowed a relatively low-level military member high security clearance, which he then exceeded to get access to the documents. The fact that he was able to do this questions not only the judgment of the military in terms of who they give classified access to, but the soundness of their access-control systems.
- Once Manning did go beyond the boundaries of his clearance, the government appeared to have no alerts in place to let security administrators know someone was accessing the network who wasn’t supposed to. This is another major faux pas. Someone should have been alerted to Manning’s activity and set into motion actions to stop it, not given him a 14-hour window to do as he pleased with top-secret information.
- After that, Manning was able to use a storage drive to take the documents off the network and transfer them off premises. You would think the DoD would have learned its lesson from a 2008 incident in which a malware-infected flash drive caused a colossal data breach to allow any of their employees — let alone someone with classified access — carry an external storage drive with them at the office.
Take heed, security professionals. It seems the “What Would the U.S. Military Do?” approach doesn’t apply to data security.
NOW WATCH: Tech Insider videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.