|« Using the Cloud to Crack Passwords||Dislike the Dislike Button »|
What Wikileaks Tells Us About Security
Everybody's talking about Wikileaks these days and yesterday I heard somebody pondering the security implications of it all. And with good reason, Wikileaks highlights one of the most difficult, but most important, factors in information security: The people factor.
Julian Assange is not a hacker - at least not in the sense most people think of hackers. He didn't break into the State Department or Pentagon systems to get the information he leaked. What facilitated the leak was not a hole in a firewall....it was a hole in our people process. One or more insiders with access (properly or otherwise) to the documents deliberately obtained them and then transferred them to Mr. Assange. As governments and large companies the world over set their jaws and shift uncomfortably in their seats at the thought of having their organization's secrets laid bare to the world undoubtedly a great many of them are ordering a serious review of their document access policies and maybe even a refresh of their staff background checks.
What should you be doing? (even if you're not a government, or Bank of America)
1. Take an Inventory of What You've Got
Before you can decide how to protect it you have to know what you're trying to protect. Take a good look at what documents you have and try to categorize them according to how sensitive they actually are. The list of passwords to your bank accounts? Top secret; only you should know it.
Your kid's soccer schedule? Unclassified. It's posted on the league website where everybody, even those darn "Bumblebees" who beat you in the playoffs last year, can see it.
Your list of clients may be restricted - i.e. everybody in your firm can see it, but you'd prefer it not be publicly available. How many levels of classifications you want to have, and what you call them, is up to you. One easy way to think about it is to consider the social circles in which you operate. The classifications should map roughly to that.
- Level1 (Top Secret): You. Maybe you and a spouse.
- Level 2 (Secret): You and a very small circle of trusted colleagues; perhaps you and your partners in the firm. Or maybe you, spouse and other family members.
- Level 3 (Classified): A wider circle; perhaps including the administrative team at the firm.
- Level 4 (Confidential): The entire firm, but not anybody outside.
- Level 5 (Restricted): The firm plus selected outsiders. Co-counsel, client, expert witnesses, etc.
- Level 6 (Public): Everybody. Your firm brochure, etc.
Do you need that many levels? I don't know - each person's situation is unique. If you're a government agent you probably need at least that many if not more. If you're a hairdresser you might only need 2 or 3 levels.
The more levels you have the more difficult and costly it can be to secure everything. So try to keep it reasonable - probably nobody needs 12 different levels of access. Also the more nuanced levels of classification can be more expensive to secure. It's cheap to secure the PIN number for your ATM card. Only you (and maybe a spouse) should know it. If it is potentially compromised beyond that tiny circle the PIN number gets changed. Doesn't take a lot of effort to maintain that level of classification. Likewise it's easy to manage information that is public or unclassified. You don't care who sees it, in fact you may WANT it exposed to the widest group of people possible. Your firm brochure, website or business card for example - the more people who see those the better. There's no cost to securing that information because it doesn't need to be secured (at least on a read-only basis; you don't want random folk CHANGING your website).
Where it gets tricky is when you have a piece of information that is secret, but needs to be available to a wider group of people; perhaps your partners, a client, selected members of the firm and two outside experts. Now you have to manage access to a larger group of people and it's a group that may not be static. Hopefully your partners don't change often, but outside experts may come and go, staffers at the firm can retire or leave for other opportunities. You may find yourself trying to secure access while still providing access to a dynamic group of people and organizations. And some of those people may be off your physical premises. Now you're transmitting secret information off-site where you may have considerably less control over it. That's when the headaches set in. And that brings us to....
2. Take an Inventory of Who You've Got
Once you have an idea of what information you have and what level of secrecy each piece of information requires, look around you and figure out who should be in each social circle. Your closest circle is the easiest one - your spouse. Maybe you have a trusted advisor that also fits into circle 1, but more likely is in circle 2.
Partners, staff in sensitive positions, all staff, clients, vendors and outside-partners, etc. Ever-widening circles.
Now is also the time to give some thought to those people. The ones who are particularly dangerous are the ones who are in a smaller circle but whom you may not know as well as you'd like to. Presumably you know your spouse pretty well. And hopefully you know your business partners pretty well too. You have a strong sense of if they can be trusted and what their motivations might be. But what about senior staff? Those people in "Level 3" in my example above? They probably have access to some rather sensitive data but how well do you REALLY know them? That circle you should color in red - those are the folks who may have a dangerous level of access but who may have an agenda other than your own. That's not to say that you can't be undermined by your spouse or business partners, only that (if you're alert) you should have a better sense for how trustworthy those people are. Hopefully you've done a good job of selecting your spouse/partners so that's not really an issue. But how carefully have you screened your administrative team? Have you done background checks before hiring them? Or did they just go to the right school and have a pleasant demeanor during the lunch interview?
How confident are you REALLY that they can be trusted to keep your secrets? Those are questions you need to ask. The more access you're going to grant somebody the better you need to know them and understand their motivations, agenda and allegiances.
3. Check the Locks
Now that you know what information you have and who in your world should have access to it, check to see if you've really secured those things. I go into a lot of firms that have their internal accounting data, personnel reviews and other proprietary and even confidential information just sitting on a server right next to the fliers for the company Christmas party.
Do you have secured folders in your firm? Have you placed your sensitive documents - whether they're internal firm information, information relating to a very sensitive matter you're working on or perhaps confidential client information - into appropriately secured folders or shares? Perhaps you're guarding information so sensitive that it makes sense to locate it on its own server?
Think of it like a filing cabinet without locks - many firms have a server where all of the folders are essentially the same. If you can connect to the server you can navigate around any folder as easily as any other. Some firms even have a "Guest" account in their network and haven't ensured that the guest account has no access to the sensitive firm data.
Other firms have realized that not all information is created equal. That some information needs to be secret while other information may only be restricted; and so they've made some careful decisions about which folders are available to which people. Try logging into your server with your receptionist's account some time and see what he or she can actually access. You may be in for an unpleasant shock.
4. Keep the Locks Locked
I've lost count of how many times I've been in a client's office and I've heard a lawyer or executive walk out of their office and say to their assistant "Sally, I'm leaving for the conference now. I'll be back on Friday. Here's my password, check my e-mail while I'm gone." WHAT?! Your assistant has just been elevated to your circle - in your world Sally now has Circle 1; Top Secret clearance. She can probably access almost anything you can access with that password. Your e-mail, sure. How about the firm accounting system? How about personnel reviews or other sensitive documents? Home phone numbers of clients and colleagues? And chances are good that you use that same password for other systems too - maybe to log into your bank accounts?
Not only can "Sally" access this information now, but she can access it AS YOU. She can sent out e-mail as if it came from you. She can access files and any audit systems would show that YOU accessed the file.
She not only has the key to the kingdom, she has a perfect mask of you to wear as she explores it.
Maybe Sally wouldn't do that. But when was the last time you changed your password? And how many assistants have you gone through during that time? So how many former employees, some of them perhaps not happy to be so former, might have your username and password? Do any of those former assistants now work for your competition?
Keep the locks locked. Passwords are not to be shared.
5. Sign in Please...
Now that you've determined the different levels of information, different people and groups whom you need to share information with and you've set up the security to try and ensure that only the proper people have access to that information you need to do one more thing...have an audit trail. For information that's sensitive you should have a log that tells you who has accessed that information and when.
Wikileaks happened not because somebody lost an unencrypted laptop or because a firewall was breached by a clever hacker but because somebody INSIDE the firewall, somebody who was either considered trusted or who was allowed to cross from their level of access to a higher level of access, inappropriately copied and distributed files. It was an inside job. What have you done to make sure it's harder for somebody to do an inside job to you?