This outbreak is not surprising or sudden. It is simply another blow in a string of leaks – and subsequent scandal – from military and governmental networks. And it is definitely not the last one.
All these cases have one thing in common – the data was not leaked by a foreign power or malicious hackers breaking into the system. The source, time after time, is part of the staff, fully authorized to use the secret data. On one crucial day, that person simply takes the data home – for ideological or personal reasons. The authorized employee did not require any computer knowledge or sophisticated technological tools (Bradley Manning, it was recently reported, simply burned secret data to CDs marked “Lady Gaga”).
Does their “success” stem from failures in defense systems? Is it possible to prevent them from doing the deed?
Traditional defense systems of notable manufacturers (such as Symantec, McAfee, CheckPoint), same antiviruses and firewalls installed in every organization and personal computer have not failed. They were simply created with a different concept, developed in the early 2000s, with the primary goal of protecting from an external attacker trying to penetrate the system. It is more fitting to say that the actual modus operandi on which these tools are based was the one that failed.
In today’s IT world, there is a new type of defense system – Data Leak Protection (DLP). The techniques they employ can be divided into three main categories:
1. “Bruce force” defense: totally block all USB devices, CD/DVD burners, Bluetooth and Firewire ports, Internet access and email. The immediate problem with this method is of course the severe impairment of business continuity of the organization, by cutting off and obstructing the normal flow of data crucial to ongoing operation – “blocking all exits” unfortunately also means blocking communication and collaboration between the staff – as well as creating an heavy air of suspicion and distrust throughout the organization.
2. Rules and permissions: this category contains DLP systems which rely on defining a centralized and organized set of permissions for classified data, employees and computers. For each user, the system defines exactly what kind of documents he can access, and on which computers. Will this protect from an internal threat? Obviously not – after all, all of the aforementioned leaks were performed by a trusted employee who was in fact authorized to access and use the classified data. Furthermore, in reality such a centralized rule system quickly becomes bloated, cumbersome – and unmanageable.
3. Heuristic system: an improvement on the previous category, a heuristic system tries to replace the management attention of a human officer responsible for setting the permissions with a continuously self-learning computer system which automatically classifies different types of documents in the organization, and sets permissions according to context. This approach definitely helps to prevent a data leak from an authorized source – however, its operation is limited to textual information only, while pictures, photos, videos, drawings, designs etc. will still leak as before.
Is the situation hopeless? The answer is no, it isn’t. The key to the solution is changing the overall approach. Existing systems are built to fight past wars, not the war that has now begun – defending digital data from an internal threat.
A solution of this kind can be found in the DiCOP system, developed by Zinstall. This system is based on a novel approach – not on brute force defense, not on defining rules and permissions and not on heuristics. The motto is simple: protect all digital content in the organization, including all files of all types – while maintaining complete transparency for the users, keeping data flow unobstructed and allowing full streamlined collaboration between the employees. The leak source can try carrying the files out on a USB drive, burning them onto a CD, transferring them to a smartphone, sending them by email – but he will not be able to use that leaked content outside the organization. Of course, a disgruntled employee will still be able to write down some information on a simple piece of paper – but leaking many thousands of classified documents, reports and many kinds of digital content will be impossible.
About the author: James Watts is a Data Protection Lead in the DiCOP (Digital Content Protection) product team at Zinstall, leading provider of PC migration, virtualization and DLP products. James specializes in protection from internal threats, and provides advice on the subject to leading financial and defense institutions and organizations in US, UK and Singapore.