It looks like it has happened again. Wikileaks on Tuesday released a massive trove of stolen data from the CIA. What is worse the information is not just typical foreign intelligence; it is actually from a secret program within the CIA using cyber warfare against others. It is titled Vault7 and is part of a “isolated” high security network, at the CIA’s Center For Cyber Intelligence. Notice that I have the word isolated in quotes above. This is important to note because this implies that it is a disconnected network and does not have access to other networks or more importantly to outside networks such as the internet.
This is an important distinction because this plays into a lot about what we have been talking about and preaching all of this time. So what really happened? It’s not as if some type of super hacker from outside at some foreign location has figured out some special clever hack to break through the CIA’s network defenses. What really happens is what happens most of the time. Whether it is your network at work, or the CIA, it was leaked from the inside. It was another case of an inside job.
Where’s The Security?
The security was everywhere, but that did not matter to Wikileaks. They did not need to break through the CIA’s super-secret network. They just had someone from the inside deliver it to them. Nothing new 60% of all information that gets stolen from companies comes from the inside. It is coming from people that already work there; it’s coming from the people that have complete access to the information to start with.
So this goes back to one of our common themes here that cyber security is not a technology problem. It is an organizational problem, it is a management problem, it is a training and knowledge problem, but not a technology problem. One day people are going to get tired of me preaching this. But in the meantime I am going to still continue to bring it up. It is just too important. Instead of spending all of our time putting in perimeter defenses that granted is necessary we need to spend more time looking at the human factor.
What do I mean by the human factor? I mean that mistakes or mischief are the cause of a lot more attacks or breaches than some hacking holed up in some far away land trying to break through your defenses. So this means we need to be looking at how people are managed. And then we look at how our data is managed. We need to be talking about these issues on a regular basis.
There needs to be a concerted effort to get everyone in an organization trained on basic security concepts and then get them tested. After that keep them trained and sharp with security at top of mind so they know what to look for.
People in your company should readily have an answer if they see someone leaving sensitive data lying out in an open conference room. Or what if they see a fellow employee giving out classified information over the phone? They should have a known security authority that they can turn to if they have a security issue. And that security authority needs to be available and visible, and have the power to take steps to correct the issue. Remember many times wikileaks can only do this because of people being sloppy or complicit. There needs to be accountability for everyone up and down the chain to ensure these types of security leaks do not happen at your company.