WikiLeaks recently obtained and released thousands of sensitive documents showing the Central Intelligence Agency’s (CIA) arsenal of hacking tools, malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.
Unfortunately this is not a Shakespearean play, but a real life data breach that will have huge consequences for the security of the US government. This information supposedly came from a secure location inside the CIA and raises a lot of questions about cybersecurity. If an agency that should be focused on security can have this problem, what other problems may lurk in other parts of the government?
Like other major data breaches, this has raised familiar concerns about insider threats, the importance of a robust breach detection and response capability, and protecting the most sensitive information inside your organization. I’m sure the CIA has implemented basic security hygiene, but clearly they didn’t protect the data itself from malicious or unintentional exposure.
How did someone gain access to a supposedly super-secure network deep inside the CIA’s Center for Cyber Intelligence facility? I don’t believe it was an external hack, but more likely a trusted insider or at least the help of someone inside the CIA.
The issue is that many people have and need legitimate access to numerous enterprise systems and sensitive data to do their jobs. Organizations need to know what sensitive data they have, where it is, who has access to it and how it’s used in their own environment and in external environments. It’s also important to understand what are normal levels of data access, so you can identify anomalies. If an analyst in the CIA normally views 10 sensitive documents a day, but all of sudden is viewing 100, there may be an issue.
The best way to protect sensitive documents is by encrypting them and providing a way to always monitor and control their access, regardless of their location. If the CIA implemented a data-centric approach to protecting this sensitive information, they could limit file access to specific people and audit that access at all times. If the documents were stolen or leaked, unauthorized people couldn’t access the information inside the files. They would have a bunch of random bits that would be useless. If an internal security person determined that privileged insiders shouldn’t have access to specific files, they could immediately remove their access, regardless of where the file is located.
Insider breaches highlight the constant struggle within enterprises to choose between security and productivity. Implementing solutions to address both effectively is clearly the best approach.