In case you’ve been living in a cave somewhere, you should know that WikiLeaks has posted an additional 250,000 State Department dispatches following their April release of a video showing U.S. troops firing on journalists and its release of hundreds of thousands of classified military dispatches from Afghanistan and Iraq.
It turns out that the information was downloaded from servers on the classified Secret IP Router Network, or SIPRNET allegedly by Bradley Manning, an Army intelligence specialist whose data copying went completely undetected by authorities. Again, if you’ve been jaunting off to Mars, the US Department of Defense suspended the use of removable flash media (not just USB flash drives) in November 0f 2008. Since he couldn’t use a flash drive, Private Manning burned the information to CDs.
So how the heck could a lowly Private gain access to hundreds of thousands of documents and exit stage right with them under the authorities noses? Probably because the documents were not sufficiently protected from disclosure. It could happen to you too, and it is not all that difficult a problem to solve if you follow a few rules.
- Implement separation of duties. Grant the minimum level of access that a worker needs to perform their job.
- Users should never be given admin rights on organization PCs.
- The PC cannot be booted from anything other than the approved boot volume
- Cameras and cameraphones are not allowed within the secure area to prevent screen shots.
- Port control software limits the devices that are allowed to connect to the PC.
- The storage devices that are allowed to connect must use high-assurance hardware-based encryption, cannot be used outside of the network, and can be remotely disabled / erased.
- All data transfers must be logged and someone or something AUDITS the logs.
- All classified data must be stored ENCRYPTED on a file-by-file basis unless it is in use. File-by-file encryption means that each one needs to be independently targeted. Full Disk Encryption is not secure for this use – once the disk is unlocked, all of the files are available to the hacker.
- Encrypted data should be shared through the use of PKI so that only authorized parties can decrypt it without needing to share secret keys.
SPYRUS, Inc. makes encrypting USB devices that implement rules 6 through 9. Devices can be locked down to one or more PCs and cannot be used anywhere else, even if the password is known. They also block the use of any other removable storage device. On top of that, they meet the US government’s USB Flash Drive specifications for physically transferring tactical SECRET data between secure enclaves. Best of all they are on the USCYBERCOM approved list, DAR, and BPA for government. US Civilians can get them from Amazon. To request more information, click here.