As information security professionals, most of us try to stay ahead of executive management when it comes to knowing about the threats that our organizations face. However, recently I have spoken with a number of CISOs who have been called to the floor by their senior leadership regarding how they are protecting their respective organizations from a WikiLeaks-type incident. Senior executives understand risk and also understand that if their organization is the next to be targeted by this type of threat, it could and probably would cause many sleepless nights for a lot of people. They also understand that if their corporate secrets were made public, it could directly affect shareholder value and, ultimately, their ability to make money or achieve organizational objectives.
The current trend seems to be that these “hacktivists” (I like to refer to them as “hack-ta-stortionist”) grab some type of internal data through social engineering or some more technical active penetration and hold it hostage, or threaten to release it if their demands are not met. Well, I believe that the answer lies in those old policies and standards that we all spent so much time developing and often wonder if anyone is following.
Remember that risk assessment process that identifies what data is present and the value it has to the organization? Well, dust it off and make sure it is up to date because this is where your approach to defending against this type of threat is going to start. Educating users on their responsibilities to protect the organizational secrets is also key to your defense strategy. Many organizations have budget challenges and as a result have limited awareness training taking place. Ensure that you are a strong advocate for keeping security awareness training in your budget. After you have a clear understanding of the data that you are protecting, users are aware of their responsibilities and your policies are up to date and relevant, you will need to ensure that there are technical mechanisms to enforce the controls called for in those policies.
As you can see, none of these strategies are new to information security practitioners. I believe that WikiLeaks will prove to be a catalyst to help organizations get back to basics as it relates to information security. The bottom line is that if you have a well-organized and efficiently operating information security program that includes all of the things mentioned here, you are probably already taking the necessary steps to protect against this new threat – and future threats as well. If you don't have these things in place, then consider investing the time to build a comprehensive information security program for your organization as it just may be the tool that saves the day.
»Policies are not enough
We could spend hours debating the best approach to securing the workplace, but policies are not enough to thwart an insider threat such as a WikiLeaks informant, says Hampton.
»Enlist technical controls
The technical controls – such as trusted security zones, well-defined group policies, logging mechanisms – will prove to be the most effective way to protect the organization's data.
»Is DLP a panacea?
There has also been a lot of discussion about whether data leakage prevention (DLP) solutions are a silver bullet for thwarting this particular threat, says Hampton.
»An audit trail
DLP technologies offer some excellent protection capabilities against known threats and can offer, at the very least, an audit trail in the event that data is somehow leaked.
Photo by Jim Callaway