Monday, December 6, 2010

Wikileaks - A Call for Security Review

It is widely known by now that the sensitive data given to Wikileaks and then the world was originally obtained by Private Bradley Manning, who downloaded the data to CDs and then passed them over to Wikileaks. A cursory look at this occurance leads one to observe that it is probably that some of the most basic tenets of information security were not being followed by the military.

The principle of need-to-know and least privilege form the foundation of any security system. This means people are only given access to the information they need to do their jobs. In addition to the fact of access, the level of access should also be guided by these principles. virtually all systems provide for setting access levels as needed. The system will provide, for example, that the users having access to the information can do one or more of the following - read, copy, create, edit. For example, one user might be able to read only, while another might be able to edit it.

We know that Private Manning had access to the information and had the ability to read it and copy it. In addition, the drives on his computer were not disabled to prevent information being copied and removed, as happened in this case.

The question then is - did Pvte Manning need to have these access rights in order to do his job. We don't know, but logic would indicate that he likely did not.    

Whether or not he did have that need, the situation is a wake-up call for businesses to review their access privileges and consider whether the access provided to their information, especially the more sensitive variety, is in accordance with the basic principles of good security systems. Failure to establish such compliance could be very expensive in the age of Wikileaks. Check out this excellent article on this topic.

No comments: