Okay we get it.  WikiLeaks had the gumption to collect private cables sent to and from the United States State Department, and actually publish them on a website accessible by anyone with Internet access.  But the United States State Department blaming USB thumb drives and/or WikiLeaks for their failure to properly mitigate the risks associated with sensitive communications between government officials and ambassadors is just ridiculous.

I remember shortly after the 9/11 terrorist attacks the country waged all-out war on white box vans at U-Haul trucks, because those might have been the means in which terrorists would conduct future attacks.  Creating an immediate policy that bans the use of USB thumb drives by United States government officials is not only overkill, but it also doesn’t make sense and it won’t work unless we also start banning iPhone’s, blackberries, digital cameras, portable scanners, wristwatches, necklaces, belts, laptops, fax machines, e-mail and all the other ways that individuals are storing and moving information.

Here’s an opportunity for our government to start to consider not just classifying data but generally making an effort to enforce policies around access and usage.  Of the hundreds of thousands of tables that have been reportedly sent to Wikileaks, some news agencies are reporting over 3 million individuals have access.  Let’s put that into perspective.  If one of the world’s largest financial institutions decided to give 3 million individuals access to Social Security numbers, bank accounts and credit card numbers that financial institution would be run out of business and subject to fines, penalties and the mundane congressional hearing.  It just doesn’t happen.

Just like any company or institution that stores and shares data on its customers and/or constituents, the US government, specifically the US State Department needs to be held accountable for access control policies, the enforcement of those policies and visibility into both the access of and usage of sensitive information.  But clearly there is an issue of way too many ungoverned pipes connected to critical data stores and sources.  Managed file transfer is certainly part of the answer.  Consolidating all of those ungoverned pipes can help as well.  A little content management and DLP may likely be valuable too.  Or maybe just a good old reclassification and risk mitigation of sensitive data so that it isn’t accessible by 3 million people.

Over the last 9 1/4 years we stopped a lot of white box vans but I’ve yet to see a security report or an intelligence report (provided by the news media, I am not one of the 3 million who have access to that type of information) that says we’ve significantly mitigated our risk of terror attacks because we don’t allow white box vans.

I have been out on the road the past few weeks but I am glad to be back. I was reading about the latest data theft at Boeing today. A disgruntled employee with the intent of hurting his employer placed sensitive data on a thumb drive with the hopes of leaking it to a local Seattle newspaper. As you probably guessed, this man is unlikely to receive any employee awards or merits. What really caught my eye in this story was the ‘potential’ financial impact had the newspaper not done what is right – a whopping $5-$15 billion loss was possible. If you’re like me, your wondering what the heck the data said? Did it unveil the material makeup for it new dream liner or was it indicative of bad business practices?

One of my favorite security lecturers is Bruce Schneier. If you ever have the chance to listen or speak with Bruce, you’ll be entertained and well educated by the end. In reviewing this data breach, Schneier bring up valid points of practicality, “If a company hires an untrustworthy employee, there is almost nothing it can do to prevent theft”, Schneier argues. “What’s done in African mines is they do full-body cavity strip searches every time they leave. That works,” Schneier says.

I’ll talk more about USB thumb drives in a future entry but in the meantime, check out RedCannon Security. I can’t validate whether or works yet but these guys caught my eye as a needed innovation in the security space. RedCannon says it can restrict the types of USB drives that are plugged into computers, monitor what data is pulled from a hard drive, and remotely destroy content if the thumb drive is inserted into an Internet-connected computer. As an extra safeguard, RedCannon says its products can set USB devices to stop working when they are not inserted into a computer connected to the Internet