Data Leaks - Preventing the Inside Job

The Wikileaks story continues to roll on around the world but as the story now moves its focus to the website founder Julian Assange, questions are now beginning to be asked about how the information was able to have been stolen in the first instance.

Only this week have the US military blocked the use of removable media in their computers, something business and corporations did several years ago.

I spoke to security expert James Watts from Zinstall, the data protection lead of their DiCOP (Digital Content Protection) unit.  He had some interesting thoughts on overall ICT security within businesses and governments.

"This outbreak is not surprising or sudden."  He said.  "It is simply another blow in a string of leaks - and subsequent scandal – from military and governmental networks. And it is definitely not the last one."

"Traditional defense systems of notable manufacturers (such as Symantec, McAfee, CheckPoint), same antiviruses and firewalls installed in every organization and personal computer have not failed. They were simply created with a different concept, developed in the early 2000s, with the primary goal of protecting from an external attacker trying to penetrate the system. It is more fitting to say that the actual modus operandi on which these tools are based was the one that failed."

He went on to detail the three main categories of defence against information leaks...

1. “Bruce force” defense: totally block all USB devices, CD/DVD burners, Bluetooth and Firewire ports, Internet access and email. The immediate problem with this method is of course the severe impairment of business continuity of the organization, by cutting off and obstructing the normal flow of data crucial to ongoing operation – “blocking all exits” unfortunately also means blocking communication and collaboration between the staff – as well as creating an heavy air of suspicion and distrust throughout the organization.
2. Rules and permissions: this category contains DLP systems which rely on defining a centralized and organized set of permissions for classified data, employees and computers. For each user, the system defines exactly what kind of documents he can access, and on which computers. Will this protect from an internal threat? Obviously not – after all, all of the aforementioned leaks were performed by a trusted employee who was in fact authorized to access and use the classified data. Furthermore, in reality such a centralized rule system quickly becomes bloated, cumbersome – and unmanageable.
3. Heuristic system: an improvement on the previous category, a heuristic system tries to replace the management attention of a human officer responsible for setting the permissions with a continuously self-learning computer system which automatically classifies different types of documents in the organization, and sets permissions according to context. This approach definitely helps to prevent a data leak from an authorized source – however, its operation is limited to textual information only, while pictures, photos, videos, drawings, designs etc. will still leak as before.

It's interesting to note with the first category that this feature is available in software within Windows 7, though as we have yet to see the first service pack for this operating system, many businesses and certainly many governments are yet to switch over to the new OS.

It remains to be seen if recent events will change the policies of these organisations who normally wait for this first service pack release.  Will future Windows versions be adopted sooner after their release than is currently the case?  Only time will tell on this one.

Watts has some simple advice for companies though and it's the mantra for Zinstall's own security products.  "The motto is simple: protect all digital content in the organization, including all files of all types – while maintaining complete transparency for the users, keeping data flow unobstructed and allowing full streamlined collaboration between the employees. The leak source can try carrying the files out on a USB drive, burning them onto a CD, transferring them to a smartphone, sending them by email – but he will not be able to use that leaked content outside the organization. Of course, a disgruntled employee will still be able to write down some information on a simple piece of paper – but leaking many thousands of classified documents, reports and many kinds of digital content will be impossible."

Advertisement