âWe must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.â -CIAâs Wikileaks Task Force.
So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agencyâs offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the worldâs most secretive entities, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today.
The CIA produced the report in October 2017, roughly seven months after Wikileaks began publishing Vault 7 â reams of classified data detailing the CIAâs capabilities to perform electronic surveillance and cyber warfare. But the reportâs contents remained shrouded from public view until earlier this week, when heavily redacted portions of it were included in a letter by Sen. Ron Wyden (D-Ore.) to the Director of National Intelligence.
The CIA acknowledged its security processes were so âwoefully laxâ that the agency probably would never have known about the data theft had Wikileaks not published the stolen documents online. What kind of security failures created an environment that allegedly allowed a former CIA employee to exfiltrate so much sensitive data? Here are a few, in no particular order:
- Failing to rapidly detect security incidents.
- Failing to act on warning signs about potentially risky employees.
- Moving too slowly to enact key security safeguards.
- A lack of user activity monitoring or robust server audit capability.
- No effective removable media controls.
- No single person empowered to ensure IT systems are built and maintained securely throughout their lifecycle.
- Historical data available to all users indefinitely.
Substitute the phrase âcyber weaponsâ with âproductivityâ or just âIT systemsâ in the CIAâs report and you might be reading the post-mortem produced by a security firm hired to help a company recover from a highly damaging data breach.
A redacted portion of the CIAâs report on the Wikileaks breach.
DIVIDED WE STAND, UNITED WE FALL
A key phrase in the CIAâs report references deficiencies in âcompartmentalizingâ cybersecurity risk. At a high level (not necessarily specific to the CIA), compartmentalizing IT environments involves important concepts such as:
- Segmenting oneâs network so that malware infections or breaches in one part of the network canât spill over into other areas.
- Not allowing multiple users to share administrative-level passwords
- Developing baselines for user and network activity so that deviations from the norm stand out more prominently.
- Continuously inventorying, auditing, logging and monitoring all devices and user accounts connected to the organizationâs IT network.
âThe Agency for years has developed and operated IT mission systems outside the purview and governance of enterprise IT, citing the need for mission functionality and speed,â the CIA observed. âWhile often fulfilling a valid purpose, this âshadow ITâ exemplifies a broader cultural issue that separates enterprise IT from mission IT, has allowed mission system owners to determine how or if they will police themselves.â
All organizations experience intrusions, security failures and oversights of key weaknesses. In large enough enterprises, these failures likely happen multiple times each day. But by far the biggest factor that allows small intrusions to morph into a full-on data breach is a lack of ability to quickly detect and respond to security incidents.
Also, because employees tend to be the most abundant security weakness in any organization, instituting some kind of continuing security awareness training for all employees is a good idea. Some security experts I know and respect dismiss security awareness programs as a waste of time and money, observing that no matter how much training a company does, there will always be some percentage of users who will click on anything.
That may or may not be accurate, but even if it is, at least the organization then has a much better idea which employees probably need more granular security controls (i.e. more compartmentalizing) to keep them from becoming a serious security liability.
Sen. Wydenâs letter (PDF), first reported on by The Washington Post, is worth reading because it points to a series of continuing security weaknesses at the CIA, many of which have already been addressed by other federal agencies, including multi-factor authentication for domain names and access to classified/sensitive systems, and anti-spam protections like DMARC.
Tags: Sen. Ron Wyden, U.S. Central Intelligence Agency, wikileaks
You can skip to the end and leave a comment. Pinging is currently not allowed.
