Image via Wikipedia
As noted in this Washington Post article, Investigations have now determined the system that stored the information disclosed by Wikileaks had quite a few failures of process and procedure that lead to the “leaking” of the 250,000 documents.
From a pure information security standpoint, the Information Classification Policies, the Access Control (monitoring), and the Data Handling procedures all contributed to the loss of the diplomatic cables.
- Information Classification – Everyone has an idea of information classification from watching movies and seeing file folders with the words “TOP SECRET” stamped in RED on the outside. Well we don’t use the plain manila folders as much anymore and rely on computers to store and disseminate information. To do so, information has to be properly classified and flagged so it exists in the right systems and is available to the right audience. In the case of this particular Defense Department system it appears that those responsible for flagging the data have done so incorrectly on many, many occasions. The article already states that this was done in error as embassy employees were putting information into the system without knowing what the codes meant. So at the root of the issue here is that users had access to the system and information without complete understanding/training.
- Access Control (monitoring) – I added monitoring to this because it’s not a pure access control issue. The State Department has made it practice to place monitoring tools on their systems so they can “know” where information goes as well as help prevent it from being used in an inappropriate manner. DLP (Data Loss Prevention) products are commonly used for this type of activity. Unfortunately the Defense Department much not be as on the ball as the State Department in making sure they are monitoring the use of their data. However it doesn’t absolve the State Department either as they should be also aware of where their information exists (as difficult as that really is) and help control it.
- Data Handling – you add the last two issues up and you’ve now provided the opportunity for someone do mishandle data. Wether that means you accidentally print or move a file or you copy 250,000 files to a CD and give them to someone without proper security clearance (I believe we call that espionage). Regardless the system users are also trained on what they should do (called handling) with data. Certain things you don’t print, you can’t email documents or information, you don’t put them on removable media. This is part in parcel to having a security clearance. Granted the next step in access the information is the matter of “need to know” and our initial issue with the misclassification of the documents provided access to many people without the need to know.
So prior to 9-11 we had systems that were too closed and information sharing was blamed as a root cause for not being able to detect the planning of the attacks. Now 10 years later the pendulum has swung the other direction and we are sharing to the point of being careless with information. From the surface it appears that some better training and enforcement of current policies and procedures would help bring that pendulum back to the center while also keeping the appropriate people informed to keep us all safe.
Stereotype – A generalization, usually exaggerated or oversimplified and often offensive, that is used to describe or distinguish a group. (American Heritage Dictionary)
The world we live in is full of stereotypes. We develop stereotypes when we are unable or unwilling to obtain all of the information needed to make fair judgments about people or situations.
- IT people are all geeks and know nothing about business
- If you can’t do a job well, go work in Audit
- If you can’t do a job at all, then go into Management
- Security’s job is to make sure you can’t do yours…
Sadly these are all sentiments in response to a posting by Jacqui Cheng of Ars Technica (LINK) who cited a Harris International poll that 12 percent of employees admitted to knowingly violating IT policy “in order to get work done”.
Not only did the comments enforce to me the complete misunderstanding of the situation, but the complete lack of communication and connection of these users and their business policies. As a security professional this concerns me and more so the prevalence of “the ends justify the means” attitude is extremely unsettling.
88% of people don’t (knowingly) violate policy and 12% do. I would expect a typical response to be “So what?” Knowing that they do it only provides visibility to the issue. Knowing why provides you intelligence which you can take action on.
So what are the reasons people violate the policy and how do we address them?
- I’m just trying to do my job. – While I don’t expect anyone who knowingly violates these policies to be reading any of my material, I do want to take a shot at role reversal here and see if it will make a connection. Why does the “I’m just trying to do my job” excuse seem to only work one way? If you find a way to circumvent a policy and you do so, you actions are justified by the requirement that your job be done. What if your job was the enforcement of said policies? Would you be as accepting of a no-holds-barred approach of making sure people could not circumvent a policy? Absolutely not. Words like Draconian, inflexible, intolerant, get thrown around when that type of approach is taken. So why is is okay for one side of the equation but not the other.
- It isn’t convenient. – I’m going to pick on sales because it makes this comparison easy (not because I want to single out that particular group). Salespeople all have goals and metrics by which they are measured. The pressure to reach those goals gives them incentive to determine ways around any roadblock in order to meet those goals. If your data management policy requires that (in compliance with regulations) all emails with customer data are sent via an encrypted channel, but you’re offsite and checking email on a friend/families computer, would you put in your usb thumb drive and send it anyway in the spirit of being responsive to the customer? I expect that more than the 12% probably would.
- I know better. – This one really bothers me. I’m going to be guilty here of violating my concern about stereotypes, but why do so many people feel they are experts in a particular area (e.g. computer security) just because they have some degree of technical knowledge? Does this happen in any other profession? I’m going to have to fall back on an old cliché here and say, great! If you are certain you know better, then be the one to help to fix it rather than one complaining about it. (sorry this one really makes me sore)
- I didn’t know any better. – Sadly, I would almost prefer to get this response from people. Providing user awareness is a lot easier than trying to change any preconceived notions about the policies they are subject to. Unfortunately this probably falls outside of the 12%, since they can’t not be aware of a policy and admit to knowingly violating it.
What can we do to help resolve these issues?
- Reach out. While we have the best intentions when putting policies together, we sometimes lack the exposure to the environment in which these policies may need to be enforced. Therefore it’s a good idea to have representation from the people to whom these policies will be enforced. No, this isn’t as easy as just writing it and publishing it, but it should help you create more appropriate policies while also giving the affected people/groups a say in how they are created. This is also a good time to socialize the policy prior to implementing it so everyone knows why.
- Why is #2. Communicating why the policies are in place are possibly more important than communications that describe the policy itself. Looking at the responses to Cheng’s article really enforces the point to me that the commenters had no idea/appreciation for why these policies are in place.
- Provide a means for comments and ideas, moreover be certain to respond to them. Again, I hear/read the sentiment that “these guys don’t get it”, “I do this because I know better”, etc. If they really have better ideas and you provide a mechanism by which they can submit them, give them honest consideration, and more importantly a thoughtful response to their input. This provides an outlet and feedback mechanism that allows people to participate in forming policies after the original creation and implementation.
There are may good frameworks that can help you build your policies, my hope is that I’ve provided some additional insight that will help make the implementation and adoption of your policies more successful. Can’t we all just get along… and follow our corporate security policies?