Can anyone stop the online whistleblowers?
Companies spend huge sums of money keeping hackers and viruses from entering their networks, but greater danger is often lurking within. Most recently, the Panama Papers detailing the tax-avoiding affairs of law firm Mossack Fonseca have put whistleblowing back in the spotlight. NSA surveillance data leaker Edward Snowden – a hero or traitor, depending on your viewpoint – may be the most famous whistleblower of our time, but other leaks from organisations as diverse as HSBC and the British National Party demonstrate the difficulty of keeping data private if employees believe it should be public.
“The bad news for chief security officers is that leaks are almost impossible to stop.”
The bad news for chief security officers is that leaks are almost impossible to stop. Specialist software can help, but with so much data and so many potential points of failure, sensitive data is vulnerable. “To say, ‘We will prevent this’ is extremely difficult, and if you want proof of that, Snowden worked for the NSA,” said Paul Ducklin, senior advisor at security firm Sophos.
“If the NSA couldn’t do it, what hope do others have? You could argue that it’s impossible to have perfect security and prevent anybody from accessing anything they’re not supposed to. I don’t believe you can stop someone who’s absolutely determined from doing the wrong thing with data that you’ve already decided you trust them with.”
The NSA has since installed data loss prevention (DLP)software on the system leaked by Snowden, but barring the doors is no longer feasible for many companies, whose staff require access to corporate data from multiple devices and locations. “In the past, the mentality was that we keep everything behind the corporate secure perimeter and that way everything is protected,” said Dominic Trott, European security practice manager for research firm IDC. “But in a world where business strategies require cloud computing, mobility and ubiquitous access, the secure perimeter is dissolving, if it’s not already dissolved. We’d suggest we’re in an era of inevitable breaches just because of the sheer scale and porousness.”
One response to the changing landscape has seen DLP software deployed to restrict certain file attachments, block encrypted traffic, or to restrict access to sensitive files. We now know that the facility where Snowden worked had yet to deploy such a system, but it’s unclear just how effective DLP software is. It relies on strict implementation, but since employees often prefer flexibility over security, this isn’t always the case. Certain functions may be switched off to make life easier for staff, increasing the potential for exploits.
“Poorly implemented DLP software can actually be more of a help than a hindrance.”
Poorly implemented DLP software can actually be more of a help than a hindrance. Experts, who asked to remain unnamed, told us that if DLP systems are compromised, they can be turned against themselves, revealing where sensitive data resides.
There are other weaknesses, too, such as the fact that DLP can’t parse encrypted data. If an employee is using a whistleblower platform based on Tor, for example, the DLP might be able to flag that there’s encrypted data attempting to leave the network and block it – but it can’t provide useful proof to company investigators. “If you’re trying to get something out from a very strict, large organisation that uses efficient filtering, Tor traffic can be blocked, because Tor itself uses a type of protocol that can be spotted,” said Marco Calamari, founder of the Hermes Center for Transparency and Digital Human Rights.
“If it’s spotted, it doesn’t give away anything. You can see that someone is using it, but it could be someone talking to their partner or looking at a site that’s blocked. You have no proof about the whistleblower.”
The lack of effectiveness of many organisations’ anti-leaking security is exacerbated by a climate that now encourages whistleblowing. Snowden became a celebrity following his leak, and the media coverage of the Panama Papers shows there’s a huge appetite for such efforts. As media outlets reward whistleblowers, and human rights organisations develop platforms designed to protect them, there’s a sense that leaks are increasingly likely.
“There now exists a marketplace where people are first, incentivised by the demand for that information, but second, they’re able to establish contact with people outside their organisation who can give them direction and infrastructure tailored direction to help them successfully leak information,” said Ed Parsons, head of cyber defence at MWR InfoSecurity. “They can lean on skilled operators. It’s becoming easier – some of the whistleblower sites have a button that you can click in order to securely leak documents.”
“Keeping information private is particularly difficult in a world with mobile phones.”
For all the technical measures designed to prevent leaks, there remain more basic methods that even the most sophisticated security programs are powerless to thwart. Companies can, for example, block USB ports to prevent staff downloading files and smuggling them out in their pockets, but other devices can be used to work around
such tactics. “Keeping information private is particularly difficult in a world with mobile phones that have good cameras,” said Ducklin. “Even if security were possible using encryption, what stops someone taking a picture of the screen with their mobile phone?”
In the end, damage limitation may be the best strategy. “You don’t have to stop anybody from stealing anything, but you have to try to stop somebody from stealing everything,” said Ducklin.
How organisations can protect themselves
Even though it may be difficult – if not impossible – to lock down every last piece of sensitive information within an organisation, experts agree there are steps you can take to reduce the impact of a leak.
Counter-intuitively, one of the first steps to reduce leaks is to set up an in-house whistleblowing system, where staff can report corruption or discrimination without fear of retribution. Staff are less likely to go to the media if there’s an effective way to report malpractice internally.
“There’s the person who starts the process – say, bribery in an organisation – and the receiver who gets the material, and they’re anonymous to each other, although they can communicate and interact via chat so the two parties can build trust,” said Marco Calamari.
Other tactics rely on reducing the importance of information that a would-be whistleblower could access. However, perhaps the most effective deterrent is the idea that leaking information is an action that carries a real risk of being caught – either through greater controls on sensitive information that flag attempted access, or actively leaving traps for potential leakers. “Increasing the risk of getting caught is a good way to address these challenges,” said Parsons. “You can restrict access to the information or who can view it… and check who’s trying to access files.”
Honeypots of fake sensitive data can be strewn across the network. They have traditionally been aimed at attracting external attackers, but there’s no reason why organisations couldn’t use the same kind of controls to detect attempted data leakage by their own staff. “If there’s info that might be marked as sensitive – say, your complete financial results – you hide that information, but create another version of the document that is signed with a specific signature, so that when it’s seen transiting the network it’s picked up by detective controls,” said Parsons.