Wikileaks and the authorized insider threat

Data security beyond DLP requires orchestration of many moving parts, say Craig Shumard and Serge Beaulieu

The recent military and U.S. State Department Wikileaks fiasco epitomizes a key challenge to data security and privacy today: the authorized insider threat.

Massive amounts of secret documents: 250,000 embassy cables, 91,000 documents relating to the Afghanistan war, and almost 400,000 documents relating to the Iraq war, were taken and leaked to Wikileaks. And this may just be the tip of the iceberg--Wikileaks founder Julian Assange reportedly has an encrypted 1.4 gigabyte 'insurance' file that will be decrypted and leaked if he dies.

All this information came from 'authorized users'. Allegedly, a low-level intelligence analyst, an Army private no less, had access and downloaded all the Iraq and Afghanistan war documents to CDs or DVDs. He may also be responsible for the State Department leak.

Also see Wikileaks fallout: DLP helps but doesn't solve

The authorized insider threat is not unique to the government or the military. All organizations are susceptible--virtually any organization that has sensitive business information such as earnings releases, merger and acquisition plans, strategic plans, attorney/client documents, personal identifiable information, sensitive internal emails, et cetera, is at risk. Notably, Wikileaks has said that their next target for posting whistle-blowing documents will be a large US financial institution.

Moreover, not all leaked information has to be sensitive to be damaging. Damage may occur from leaked intellectual property, or embarrassing things such as blunt emails that can be taken out of context, or internal debates on controversial issues that are not meant for public consumption.

Even if you know who has access to what, can an organization know what their employees did, what documents they read, printed, or copied?

Why organizations are at risk

Organizations are at risk because they have both sensitive information and people who have authorized access to it. Even assuming that access to sensitive information is adequately protected, organizations are still at risk, because a determined disgruntled or uninformed authorized user can still find ways to steal or lose information.

The challenge is to evolve the layers of information security defenses to reduce that exposure.

We know that the government and the military have the essential security safeguards in place. They classify their information, restrict access to it using role-based or other discretionary access controls, have policies and procedures to properly handle classified information, and have network technical safeguards--to name a few. Yet a massive leak still occurred.

Why weren't these massive leaks, at a minimum, detected, and, optimally, prevented? The simple reason is that information security practices and tools have not kept pace with the threat.

This is because policies and procedures, data classification, RBAC (role-based access control) or other discretionary access controls (see note below), data loss protection, event monitoring, etc., are not in of themselves sufficient. While they reduce the exposure to some degree, they are too imprecise to effectively address the authorized insider threat.

Leaking sensitive information is not new. Many high profile leaks have occurred in the past, including, the Pentagon papers during the Vietnam War, Enron financial dealings, and Deep Throat in the Watergate case.

What is new is that a tremendous amount of information can easily be accessed and leaked anonymously. The amount of information and the ease of leaking information is at an all time high. Current security safeguards, both from a capability and deployment perspective, have not keep pace with the evolving threat.

Information security defenses need to evolve

Information security defenses need to evolve to combat the authorized insider threat. We need to develop the analytical skills that will combine RBAC roles, data classification, SEIM (security event information monitoring) results, endpoint security events, etc., and develop standard 'data usage' activity profiles.

One way for security systems to evolve is through 'behavioral or anomaly' based data loss prevention security.

This approach could be similar to how we combat advanced persistent threats (APT), where low-level malware is detected and neutralized by analyzing how codes behave through multiple vectors as it traverses the network and the application layers. Anti-malware solution providers develop 'anomaly' based algorithms to detect and prevent malware infestations. A similar concept is needed to detect and prevent potential data leaks by authorized users.

The goal is to detect behavioral anomalies that would detect and prevent an authorized insider data leak. It should be noted that the implementation of many of these security defenses is still immature and limited in many organizations. For example, many organizations only have RBAC implemented for SOX applications; DLP (data loss protection) policies are very coarse such as prohibiting use of thumb drives. So along with evolving security defenses; it will be necessary that current defenses are sufficiently implemented.

As an example, assume there are 10 people who perform the same job and have the same access (or role) in an accounting department. 'Behavioral or anomaly' based security should detect if an authorized insider is remotely logged into the system off-hours, assessing and downloading the vendor payment files etc. It should show abnormal data usage anomaly compared to standard data usage profile.

In the Wikileaks example, someone should have detected that a private intelligence analyst, while authorized to access the documents, was accessing massive amounts of documents and copying them to a CD or DVR. One can argue that this authorized user had way too much access to information or that a DLP policy that did not allow writing to a CD or DVR could have addressed this situation but that is not addressing the root problem. Namely, that people need to be authorized to access information and the ability to perform functions like printing, emailing, info-sharing, etc. Draconian policies and procedures only work in situations where it is all or nothing and have little applicability to the real world. They also foster bad behaviors or lead both the good and the bad actor to use alternative methods to access data in order to circumvent hard controls.


The authorized insider threat will always exist. The risk will continue to increase as more information is digitize, storage medium increases, and new devices (e.g. iPads) and exchange mediums (e.g. social networks) are used.

Current security policies and procedures, access management like RBAC, access certification, data classification, security event monitoring, and data-loss prevention technologies are not sufficient to address the authorized insider threat as they are typically stovepiped in nature. Even when 'state of the art' practices and technologies such as RBAC, DLP, and SIEM are used, they are often times not deployed or implemented with the necessary depth to sufficiently track and monitor a disgruntled authorized user.

The orchestration of these processes and technologies combined with the necessary analytical resources to develop 'behavioral or anomaly' based information security capabilities, are needed to detect and prevent data leaks by authorized insiders.

Craig Shumard is retired CISO for CIGNA Corp. Serge Beaulieu, CISSP CISM, is a security consultant and retired head of Security Technology Planning and Roadmaps at CIGNA Corp.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitywikileaksdata protectionprivacy

More about APTDLPEnronetworkISMISOLP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Craig Shumard and Serge Beaulieu

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts