Army Pfc Bradley Manning is facing a military judge in a court-martial procedure that will endure over many weeks.  Be aware that rights and procedures in a court-martial are quite different than that of a civilian trial.  The issue at hand is the public release of a reported hundreds of thousands of sensitive military documents through the WikiLeaks website.  It is considered to be the biggest ever leak of classified information in history.  It will certainly be remembered as one of the most significant.  In its vast trove were documents never intended for the public – many diplomatic cables and a video which was named upon its release as “Collateral Murder”.  The “Collateral Murder” video caught fire on the internet and reportedly showed helicopter airstrike footage and the murder of Iraqi civilians and two Reuters journalists.  Not exactly surprising given that these enemy combatants frequently hide amongst common civilians and use journalists as tactical shields.  What mattered though was the effect the video had and how the public came to see the video.  Through shades of reporting, and through the fact that the general public doesn’t typically witness actual war footage, many were now able to question the missions going on at the time.  The story of the leaks continued for weeks and dominated headlines around the world.

The story that leads up until the point where Manning was caught was quite public and well documented.  If you haven’t read up on it, well I’d imagine it will be dramatized somewhere at some point.  We’re going to find out more in the reports that come out of the court-martial procedures, that’s for sure.  In the wake of the raid that took down Osama Bin Laden the public has also just now found that among the information found was the Manning-source Wikileaks files.  This information does fall into enemy hands.  The lesson for the industry when you look at these major cases is that there is a trusted access issue and a partner issue, yet they are not very far apart.

One of the critical challenges in today’s IT environments is getting a handle on securing sensitive information.  Every environment has their own mix of technologies-some shops have some deficiencies, others are armed to the max.  Regardless it is best to utilize the right mix of technology, policies and practices around security, but sometimes you have to work with what you have.  The best security posture possible will require you to work with some priorities.  It most usually starts with a data assessment that identifies what you have to protect and identifying where the company’s digital crown jewels are located.  This may be the hardest part because of the work involved, it’s a massive undertaking.

As we saw in the PRISM leak, a flash drive and escalated privelege was utilized to gain this information.  In a discovery it behooves you to find everything – every flash drive, every phone, every mobile device, every endpoint, in remote offices, in employee’s home offices, everywhere.  If you don’t have the systems to discover all of the places where company information might be, you are going to have to do this manually and users may have to bring systems in physically. You may need to take a further look at information sources, not all data starts out as digital.  In other words, know whether information comes from web forms, printed forms, or vendors, tracing every bit of data to its source.  That could mean talking to many people.   Data access needs to be discovered, and you have to identify employees, groups, contractors, terminals and programs that access data.  Finally data handling comes into play.  Where is data backed up?  Who handles it?  Define the chain of custody.  Define the life of hard copies.  If you have contractors in place to do some of these operations, verify that you have security agreements and checks in place to secure them.

The steps to getting your best handle on the information you want to secure are long, and this is just the beginning.  Remember that keeping it simple, establishing and applying specific and clear policies, and having a rehearsed incident response plan are critical to dealing with security issues and securing your most sensitive information.  Once you have base security elements of what info, who, how, and where – then you can start to delve into a better data control model.  That would mean increased role-based access control, better policies, better tools, and that should be the where organizations start on a security assessment in a world where data leaks are becoming something of a norm.