In the past few days, almost every conversation I have had with a CISO has somehow stumbled onto the topic of the data breach at the US Department of Defense (DoD) and subsequent release of that information through WikiLeaks. Many CISOs have told us that their executives are asking for reassurances that this type of large-scale data disclosure is not possible in their organization. Some executives have even asked the security team to provide presentations to management educating them on their existing security controls against similar attacks. Responding to these questions is tricky: “It’s like treading on a thin ice,” commented one CISO. If you tell them everything is under control you may create a false sense of security. If you tell them that it is very likely that such an incident can happen within their organization – it may be a career limiting move.
I would recommend giving the executives a dose of reality. I do many security assessments for our clients and often find that many organizations are solely relying too much on technology and infrastructure protections they have. Today’s reality is very different. We often operate in a global context with large and complex IT environments making it hard to monitor and track data and we are sharing a tremendous amount of sensitive information with business partners and third parties. All of these realities were faced by the US government as well and probably all contributed to the circumstances that led to the disclosure of data.
As many of you try to extract the lessons learned from this episode, here is my take on it – It is a failure of not a single security control but a set of multiple preventative and detective lapses.
Failure of preventative controls: Governance, Oversight and Access Control
“School Bond Measure Fails” seems a common headline these days. In fact, a quick Google search found that school bond measures and tax levies have just this fall failed all over the US, notably in Santa Clara County, which was characterized as “tax friendly.” However, despite the hardships of raising money for schools, per-pupil spending continues to increase – having increased steadily from just over $500/pupil in 1919-20 to $11,674/pupil in 2006-07, according to the National Center for Education Statistics.
One place that the expenditure has been going has been toward technology investments. The number of computers in public elementary and secondary schools has increased: in 2005, the average public school contained 154 instructional computers, compared with only 90 in 1998. More importantly, the percentage of instructional rooms with access to the Internet increased from 51 percent in 1998 to 94 percent in 2005.