Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.

December 14, 2010

The WikiLeaks Security Incident – A Warning and a Wake-Up Call to Organizations Worldwide


We’ve all heard of the infamous WikiLeaks incident by now.

There is THE incident, and then there are opinions dime-a-dozen on the incident. There is also the frequent use of the word “cyber-war” by journalists in reference to childish DDOS attacks.

It is not my intention to offer just another opinion, like perhaps Mr.Bruce Schneier, who in his own words "doesn't really have much to say about it", but (I think nonetheless) felt the need to do chime in.

As some of you may know, virtually the entire U.S government, from the Department of Defense (DOD) to the U.S. Congress, runs on Microsoft's Windows Server platform, powered by Active Directory, which is at the very foundation of their security.

As former Microsoft Program Manager for Active Directory Security, I do actually have much to say about it, but in the interest of time, shall keep it brief, and share it with you in the form of an information security practioner’s perspective on the incident.

So, if I may, here's my 2c on this incident -

It is public knowledge that at the heart of the WikiLeaks incident is the leak of United States Diplomatic Cables, wherein the whistle-blower website WikiLeaks started to publish classified documents of detailed correspondence between the U.S. State Department and its diplomatic missions around the world.

The leak has since been characterized as being a threat to national security of many a nation and even condemned as an attack on not just the U.S. but all governments. (Also, as mentioned previously, since then, this has been the topic of substantial media coverage and there have been numerous articles written by as many journalists on the subject, each entitled to their opinion.)

However, if one were to objectively view the incident from an IT security perspective, I believe that there are two distinctly separate incidents involved here –

  1. Unauthorized Disclosure of Information by an Insider – At the core of the incident is the act, by an insider, of obtaining access to, and subsequently disclosing, to an outsider, over 250,000 U.S. government documents (which constitute the property of the United States government) including over 130,000 unclassified documents, about 100,000 documents classified as "confidential" and about 15,000 documents classified as “secret”.
  2. Information Dissemination by an Outsider – Then there is the act, by a party external to the U.S. government i.e. WikiLeaks, involving the dissemination of this information, i.e. making these documents indiscriminately and globally accessible to all on the Internet. Whether this was done with or without regard to the impact that doing so could have on impacted entities (i.e. the United States government, and the individuals, embassies and governments of whom there is a mention in these documents) is really immaterial.

As to the former i.e. unauthorized disclosure by an insider, at its essence, this was the most elemental form of a security incident, in which a trusted insider who had access to a confidential organizational IT asset (or in this, a vast set thereof) willfully violated organizational security policy by disclosing this (set of) organizational IT asset(s) to one or more parties external to the organization. The only thing that made this security incident so serious was the fact the value of the IT assets whose confidentiality was compromised was so high that it could potentially have had a real impact on national security and international relations.

As to the latter i.e. information dissemination by an outsider, that was an incident in which an entity chose to disseminate potentially sensitive information (in this case, these documents) delivered to them, indiscriminately by publishing them online. As to the legality of this action by this outsider, while White House Press Secretary Robert Gibbs recently said that "…the stealing of classified information and its dissemination is a crime,” I for one am not going to opine on the legality of the dissemination of such information, as that is something for a court of law to decide.

From a security perspective, IMHO the damage was done the moment these IT assets (i.e. these documents) crossed the proverbial organizational boundary (i.e. were disclosed to an external party), because from that point on, these documents were out in the open, and could easily have been silently sold to the highest bidder, or delivered to a long list of entities who could substantially gain or profit from them, whether they be international terrorists, rogue regimes, crime syndicates and so on.

In fact, one has to wonder if it could have possibly been be far more damaging if these documents were stolen and sold to say, an international terrorist organization, and the fact they were stolen and now in the hands of a terrorist organization, would never to have come to light.

At the end of the day, this unfortunately was a serious failure to adequately protect the confidentiality of what it largely considered classified U.S. government information, and it does raise many security valid questions.

For instance, if the U.S. government does have a least-privilege access (LPA) security model in place, how come three million individuals had access to these sensitive documents? Or for that matter, did three million individuals really have a business need to have access to these sensitive documents? If so, one has to further wonder as to how this access was ultimately enforced? In fact, many questions come to mind, and I’m certain many such questions will undoubtedly be raised during their own internal investigations.

If I may digress for a moment...
It is worth mentioning that when it comes to access enforcement, there is unfortunately almost always a disconnect between the intended security policy and the implemented security policy, primarily because implementation involves specification of access control intent in computer systems, and that can get very complicated and difficult to manage, and rather quickly so.

For instance, numerous aspects, such as the lack of a single point of administrative control, arcane nesting of security groups, administrative churn over time, and the specification of access controls at various levels (e.g. file, folder, server, trust etc.) all have a direct impact on the effective resultant access on an IT asset, and consequently on the ability of an organization to effectively maintain and control access to their IT assets.

Consider for instance the set of access controls involved in protecting a set of documents residing on a file server joined to the Active Directory. As you may know, there are multiple access control points wherein security must be specified. For instance, there is the access control list (ACL) on each individual document. Then there are ACLs on the folder(s) containing these documents, and ACLs on the share itself. In addition, there is the list of individuals who are authorized network access to this domain joined computer and then there the domain security groups that are used to provision access at each of these access control points.

On a related note, one critical yet often overlooked aspect of security today is the need to (accurately) assess and review the identities of all individuals who can influence (modify) the memberships of the very security groups used to control access to organizational IT assets.

For instance, while it is important to review the membership of a security group being used to control access to a specific IT asset, it is equally important to determine and review exactly who all can modify the membership of that security group as well, because, ultimately, whoever has this ability could instantly change the membership of the group, and consequently obtain or facilitate access to every document/IT asset being protected by that group. (This is one such critical area where our innovative Gold Finger access assessment solution for Active Directory helps organizations instantly and automatically make these determinations.)

The bottom line is that the specification and enforcement of authorization intent is neither easy nor straight-forward, and many a time, this one simple root of complexity can make it difficult to attain or maintain least-privileged access, particularly in large IT infrastructures. As a result, quite often, one or more IT resources could easily end up being inadequately protected and vulnerable to compromise.

But I digress.

All said and done, the WikiLeaks incident is a warning and wake-up call to organizations worldwide – IT security today is mission-critical to business, and it must be a top business priority, because, as we have clearly seen in this case, it only takes ONE such security incident to have a substantial impact on business.

After all, if you think about it, this was very much akin to an employee at a Fortune 100 business organization taking a set of confidential business documents, such as a set of confidential product blue-prints, and disclosing them to an outsider. The only thing that makes the release of these cables more sensational is the nature of information they contained, the unauthorized disclosure of which, substantially impacted a broad and larger set of issues and entities.

Today IT security has become paramount to organizational security and business continuity and at Paramount Defenses Inc, we know this first-hand (; today our solutions and services help secure and defend the very foundation of IT security at over 4000 organizations in over 70 countries around the world.)

In days and weeks to follow, I intend to shed light on numerous specific and highly pertinent IT security issues and challenges that directly impact organizational security worldwide.


PS: It would also be nice to see the media stop referring to these kiddish DDOS attacks as cyber-war. These DDOS attacks are so primitive in nature that any half-serious IT security enthusiast should be able to code one up in a few hours. I doubt these journalists have any idea as just how much damage a real DDOS attack on a mission-critical component, such as the Active Directory, could actually do. For that matter, I doubt they even know what the Active Directory is, let alone why it is so important.

No comments:

Post a Comment