Stopping the WikiLeaks Scenario with Encryption, Device Control and Endpoint DLP
A U.S. Army intelligence specialist? Walking out with confidential documents on a CD? Impossible.
When I first heard about the exposure of hundreds of diplomatic memos, I was anticipating a sophisticated cloak and dagger tale. But Pfc. Manning walked out the door with a bogus Lady Gaga CD-RW filled with government secrets. While my initial reaction was that this never should have happened, I can see where the dual priorities of a worker-friendly environment and the mission-critical imperative to share information quickly could have led to this situation. The good news is that there is a straightforward regimen to help stop these kinds of risks.
1) Install Device Control
Device control, as its name suggests, controls what devices can be used on a given computer. So if you want to disallow CD burning by a government security analyst with access to secret documents, you can do so. Symantec Endpoint Encryption (SEE) Device Control allows this to be done by policy, across the organization. Permissions can be set by group or per individual user. SEE Device Control could even have allowed Pfc. Manning to listen to Lady Gaga MP3 files, but prevented him from copying files of any type to the CD. Here’s how a security administrator could have done that:
With SEE Device Control, a security administrator can make the decision that the use of USB sticks by field engineers who need to download software for clients is okay, for example, but not by customer service agents with access to lots of personal customer information, who never take work home. SEE Device Control policy can be set so prevent any type of Bluetooth or WiFi data transfer. Here’s a quick look at some of the options.
SEE Device Control also offers some capabilities to facilitate audits and forensics, like creating a log of all files copied or creating a “shadow copy” in case you want to see what was actually copied down to the device. This would allow investigators to quickly and clearly see the extent of breach perpetrated by an actor like Manning. More info on SEE Device Control here.
2) Use Endpoint DLP
Some may find device control too coarse grained and want to only restrict copy operations based on content. A great way to do this is with Symantec Data Loss Prevention Endpoint Protect. It also prevents employees from copying confidential data to removable devices, transferring it over the network, or trying to copy or paste, or print it – but with the added ability to do so based on content. The advantage is that employees can, for example, copy pictures of their kids to and from a USB stick, but not anything marked confidential or that matches the fingerprint of a product design document or that contains confidential customer information. Endpoint Prevent leverages the Symantec Data Loss Prevention suite for deep content inspection, so policies on the endpoint can leverage those used for inspection of email traffic. You can find out more about how it works here.
3) Encrypt Sensitive Documents
Obviously, preventing those without a need to know is one of the best ways to protect secrets. The problem, however, is that access control lists on file shares are not vigorously maintained. That means people who should not see documents can do so. This is exacerbated with corporate search engines indexing all kinds of content, making it easy to find. The answer is to encrypt those files, so if someone has access to a directory it won’t matter because they won’t be able to read the file. It also has the nice side benefit of making file content opaque to search engines. This is exactly what PGP NetShare from Symantec does.
And the user experience really doesn’t change at all. Having a lock on the file or folder is intuitive and likely sends a warning to those looking to steal. The file opens as normal for those with access, and is unreadable by those without.
PGP NetShare also protects against mistakes made by those with permissions. I’ve heard myself cases of generals with security clearance, who are maybe better with intelligence than computers, copying top secret documents to the wrong folder. Encryption solves this problem - even if a file is moved to the wrong place, only those with keys can read it.
One of my favorite features of PGP NetShare is encrypt by file type. This makes it easy to protect Word docs, Excel spreadsheets and PowerPoint presentations, but not MP3 files (unless that’s your intellectual property, of course.)
We will no doubt be hearing more from WikiLeaks. Forbes reported that a large financial institution is next. With such well understood defenses available, CISOs really have no excuse for not putting them in place. Perhaps we’ve been putting too much focus on the criminal syndicates and not enough on the malicious insider.
Do yourself a favor and take a look into device control, DLP and encryption. Have a healthy suspicion of IT workers still using CDs instead of iPods to listen to music at work, and make sure your device control and DLP policies cover both.