This past November, an organization by the name of WikiLeaks released confidential data which documented correspondences the United States had with organizations worldwide. WikiLeaks allegedly got a hold of the data from United States Army soldier Private First Class Bradley Manning who made unauthorized copies of more than 250,000 United States confidential documents while stationed in Iraq.
Several government bodies, including the United States, have condemned the data leak indicating that the actions of WikiLeaks and Manning are an attack on governments worldwide that places lives at risk and damages long standing diplomatic relationships. Others feel that the reaction to the leak has been exaggerated and the overall risk of the data leak is low, lives will not be lost and the empire will be just fine. As the data leak unfolds, a few things are certain: weaknesses in the United States data protection controls will be exposed, people and organizations will find themselves left standing with pies on their faces, and of course there will be Hell somehow somewhere to pay.
In the meantime, don’t wait until this happens to your organization to start taking action. In this article, we will take a quick tour of how the WikiLeaks debacle unfolded and simple steps you can take today to better ensure your organization is not at the center of the next data leak disaster.
Disable CD Drive Support
According to the AOL technology site Switched.com at http://www.switched.com/2010/07/10/the-lady-gaga-wikileaks-link-how-bradley-manning-easily-stole-c/ Manning reportedly used a recordable CD disc to copy the data from military computers. To disguise the disc, he labeled it as a Lady Gaga music CD. I know what you’re thinking – yeah, that’s it.
If your organization is using the Windows operating system, there is a simple and easy to deploy setting to reduce the risk of users copying your organization’s data on CD discs and taking that data off premises. Even if you are not your organization’s technology manager, it’s important that you are at least aware of this setting. The setting to disable CD drive support can be found at the following registry location:
- HKEY_LOCAL_MACHINE\SYSTEM\CURRENT CONTROL SET\SERVICES\cdrom\Start
By setting the DWORD for the above registry setting to 4, CD drive support on the computer is disabled. By default, this setting is 1 which enables CD drive support. A system restart will be required in order for this setting to take effect. You can see http://support.microsoft.com/kb/555324 for more information, but if the military had enforced this setting (assuming that the military uses Windows based hosts), Manning would not have been able to use his now infamous Lady Gaga CD to copy the WikiLeaks data. I know what you’re thinking again – yeah, that’s it.
Disable USB Mass Storage Support
Even if CD drive support was disabled on the computer that Manning had made unauthorized copies of the confidential data on, he could have just as easily copied the data onto a USB thumb drive. In fact, this may have been a better method for Manning since thumb drives are easier to conceal than large CD discs. Fortunately, according to the Switched.com article, United States military policy already required and enforced the disabling of USB mass storage support. That however may not be the case at your own organization. Disabling USB mass storage support can be done by modifying the registry value at:
- HKEY_LOCAL_MACHINE\SYSTEM\CURRENT CONTROL SET\SERVICES\USBstor\Start
Setting the above value to 4 disables USB drive support on hosts running Windows, but not any other devices that use USB, such as keyboards, mice and printers. By default this setting is set to 3 which enables USB mass storage support. You can visit http://support.microsoft.com/kb/823732 for more information on disabling USB mass storage support on Windows.
Unlike the CD drive support option that was discussed earlier, this particular option does not require a reboot of the system in order to take effect.
Network Black or White-Listing
Besides disabling CD drives and USB drives, there is another action you can take to help prevent data from leaving your organization’s premises. I have to warn you though, this last one will not make you very popular amongst your users and you probably won’t be getting very many Christmas cards or party invites as a result. But sometimes someone needs to be bad guy for the good of the organization. The last thing you can do to prevent data leaks is establish and enforce a list of authorized sites that users are allowed to access or not allowed to access.
Manning after he had copied the confidential data onto his Lady Gaga CD allegedly uploaded the data to the WikiLeaks site. Details as to which computer and Internet connection he used were not available, but since he was stationed in Iraq at the time the data was copied and leaked, it could probably be safe to assume that it was a military provided computer and Internet connection. If that was the case, the military should have taken steps to prevent their users from accessing known “bad” sites, such as WikiLeaks, especially since WikiLeaks had been involved in earlier publicized data leaks, such as a video showing American soldiers shooting Iraqi civilians from an Apache helicopter and other war documents.
What’s important at this point is how you keep your company data from leaving your protected networks, or sometimes referred to as “data ex-filtration”. Blocking your users from accessing certain sites is the easy part. Any modern firewall can be configured to do this. The hard part is to determine which sites are allowed for users to access and those that are not. There are two general approaches you can take here: black-listing or white-listing.
With the black-listing approach, you define a set of prohibited sites and anytime a user tries to access one of those sites access is blocked. The white-list approach takes an opposite approach and defines a set of sites that users should be allowed to access to perform their business roles and allows access only to those sites. Any site that is not on that list is automatically blocked by the corporate firewall. My recommendation is to always use the white-list approach since a user’s business role and the associate sites for that user to fulfill that business role can be defined easily. With black-listing, documenting all the possible sites on the Internet that a user should not go to is potentially infinitely large.
Here comes the unpopular part: Web sites such as Facebook, Google Gmail, Microsoft Hotmail, Twitter, YouTube and MySpace are often sites that users don’t need to perform their business roles and represent potential ways to leak confidential data. Non-business essential network protocols such as Internet chat, FTP and more are also fair game for consideration to be blocked. As a result many companies I work with block these sites and protocols, much to the disapproval of their user base. If you would like a list of sites that I generally recommend to my customers, feel free to email me at info–at–golockbox.com or you can sign up for our newsletter which I’ll send it out on later. What you decide to block or allow all depends on the risk, and I talk about how to do this in the next section.
Some Final Thoughts
Before you disable CD support, USB mass storage support and implement white or black-listing network access across your organization, I want to leave you with two important final thoughts.
First, if someone is absolutely determined to copy and take data off premises ultimately they will find a way. Someone could for example load the data on screen and use a simple phone camera to take high quality photos of the data or they could simply steal the physical computer. Bad guys will find a way. So I don’t want to leave you with the impression that if you disable CD support, USB support and white-list network your organization will be data-leak-proof (these just happen to be the ways that Manning used). The important thing is to have a good security policy that states what is allowed and what is not, and then apply controls to enforce those requirements. In this way you will know where your organization has strong security controls, but also where you do not and then take appropriate actions. For example, in the case of the camera phone data smuggling technique, even though there is not much from a technology standpoint you can do to prevent this type of attack, you could mitigate that risk with a non-technology risk control by simply requiring that employees must leave all cell phones with security front-desks. Or include in your human resource policy that any unauthorized release of company data, will result in prosecuting employees to the full extent of law.
The second final thought is that you carefully evaluate each of the data leak controls discussed in this article and determine if it’s a right fit for your organization. To do this with our customers, we use the table shown below. As you can see, it’s very simple, and in my experience using it, extremely effective.
| Affected Asset |
Business Justification |
Risk and Impact |
Mitigation Strategy |
| Asset name |
Stated business justification |
High|Medium|Low |
Accept, Reduce, Transfer, Remove, followed by a mitigation plan |
We may through our Internet security consulting services identify vulnerabilities in a customer’s digital asset, such as a network, line of business applications or servers, and provide some remediation plan. To help our customers determine if it’s worth fixing (yes, not all security issues need or should be fixed), we first identify a business justification for the affected asset. If one does not exist, that asset should be taken out of production. If one does exist, what’s the risk and impact? After we evaluate the overall risk and impact, then we help them decide on the appropriate mitigation strategy. Any time you implement controls to mitigate risk, including the ones described in this article, I always advise my customers to go through this exercise. It will save you numerous headaches down the road and in the long term you will be glad you did.
With that, good luck, safe holidays and see you on the other side in 2011.
–Kevin
LOCKBOX SFT, the easiest to use and most secure file transfer service: http://www.golockbox.com
