Editor’s Note: The storm of news coverage about the release of confidential diplomatic memos by whistleblower site Wikileaks may have passed, but the story is far from over. In the meantime, organizations are left to draw their own conclusions about the lessons of the Wikileaks scandal and, then, try to apply them to their businesses. In this opinion piece for Threatpost, Ted Julian, a Principal Analyst at Yankee Group, says there are four important lessons that organizations can learn from the sensational publication of classified documents and carry into the New Year.
WikiLeaks Is A Tipping Point For Security
WikiLeaks has dominated both the airwaves and many IT conversations over the past few weeks. There are many good reasons for this. Awareness of the four year-old whistle blower Web site has elevated the risk associated with leaked information in the minds of business executives. They now must ask themselves – “what if this got on WikiLeaks!?” In the immediate aftermath of the release of Cablegate, the leaked U.S. diplomatic cables, conversation shifted to the wave of Denial of Service (DoS) attacks launched against Wikileaks’ Website by opponents of the group, and against MasterCard, Visa, and others by WikiLeaks activists.
The motives and methods of these groups may be topics for discussion. But what’s clear is that WikiLeaks changes things for IT security. This is not because of WikiLeaks specifically as an organization or because of any technology innovation associated with the site. Rather it is because of what these WikiLeak incidents represent.
Wikileaks: A Channel for Data Leaks
First, WikiLeaks as an organization represents the advent of a data leak channel through which pilfered or spilled leaked information can rapidly be publically disseminated. Of course, there already were such channels before Wikileaks (remember F***edcompany.com?) and there are sites that run alongside it today, such as Cryptome.org, albeit with less notoriety. But the success of Wikileaks may have ushered in a new and more permanent role for such sites. It has also ensured that there will be more such sites in the future, including Wikileaks spin-off Openleaks.org.
Second, the attacks both for and against WikiLeaks served notice that hacktivism is less of a theoretical risk. Indeed we’ve reached a tipping point. Because WikiLeaks has made data leaks and hacktivism a kitchen table conversation, organizations, as a practical matter, need to prepare a response to them.
WikiLeaks Amplifies Data Loss
Organizations have been concerned about data leaks for years. In light of ongoing breaches and mounting PCI requirements, retailers have been deploying encryption and intrusion detection technologies in an effort to batten down the hatches to avoid credit card number loss. WikiLeaks, however, represents a powerful lure for potential data thieves. As such, it expands the scope of who needs to worry about data leaks while also amplifying the potential damage of those leaks. An embarrassing e-mail to a non-profit organization from a celebrity benefactor is one thing. But the damage might be far worse if that memo is pumped out through the WikiLeaks media machine to reporters for sites like The Guardian, The New York Times and Der Spiegel. Again, WikiLeaks is just the beginning. The coming year will see more variations on the Wikileaks model focused on specific topics and industries.
WikiLeaks Catalyzes Hacktivists
While security pros have been discussing for years the possibility of hacktivism (hacking by activists), incidents of true hacktivism have been relatively few and fairly isolated. Absent a specific threat, most organizations were justified in putting this risk on the back burner. The latest attacks’ tied to WikiLeaks’ publication of the Cablegate documents, and the ensuing media frenzy, however, have pushed cyber activism onto the front burner for public and private organizations, as well as governments. Organizing a public demonstration at a world summit or commandeering a boat to stage a protest is a lot of work. WikiLeaks sympathizers were able to garner greater publicity for their cause without leaving their desk.
Mobile Proliferation Expands Wiki-Risk
PFC Bradley Manning, who is believed to have supplied Julian Assange with the stolen, classified documents, famously burned data from the military’s SIPRnet onto CDs labeled “Lady Gaga.” But putting malicious insiders like Manning aside, lost devices present a very real risk, which that most organizations are struggling to cope with. Specifically, mobile devices increase the risk of data leaks in several ways:
- Mobile drives data proliferation. Currently there are over half a billion mobile devices in use with a smart operating system (like smart phones and tablets); this number will more than double by 2013. Between e-mail, files, applications and other data stores, the rapid adoption of mobile devices expands dramatically the number of endpoints with sensitive data that organizations must consider at risk for leaking.
- Mobile expands the threat landscape. These devices a risk for the data they may store directly, but also for their connections to sensitive data. A compromised smart phone risks becoming the weak link in an otherwise carefully constructed, defense-in-depth strategy if attackers can use it to gain trusted access to systems inside the organization.
- Mobile consumerization challenges IT control. Increasingly, employees are bringing in personal devices and using them for work. This trend complicates data leak prevention, as IT groups struggle to respect employee privacy while at the same time protecting corporate information.
- Ironically, WikiLeaks comes just as enterprises, governments, service providers and security vendors are wrapping up 2010 and finalizing plans for 2011. All parties should use this opportunity to update their strategy and tactics accordingly.