While it’s an upsetting case, from an IT security perspective, this breakdown in the military’s security shines a light on the proliferation of unsecured email distribution lists and the rise of insider threats in recent years – threats that can – and do – hit corporate enterprises.
“Way too many people have access to very sensitive information,” a senior U.S. official told CNN when the Teixeira news broke, noting that “thousands” of people likely viewed the war documents before they hit the internet.
Once the leak was made public, Pentagon officials clamped down to limit access to the distribution lists that are used every day to send information to the appropriate individuals with access to classified materials. Unfortunately, in the Teixeira case, some identities on those distribution lists received daily information updates that they were not authorized to view. According to news reports, the Pentagon has been looking for broader mitigation measures to prevent future unauthorized leaks. Ultimately, the underlying cause of this monumental leak was poor insider threat management.
While the world focuses on the impact of the leak, as security practitioners we should think long and hard on how we can mitigate these risks across our corporate computing environments. Just like it’s become clear that Texeira should’ve never been privy to such sensitive content, these scenarios likely exist inside corporate networks and business trade secrets can be leaked in the same manner as the Pentagon’s leak of highly sensitive war materials.
The IT world has seen a steady increase in mismanaged and heavily nested distribution lists over the past decade, both within government agencies and the private sector. An email distribution list operates as a type of Active Directory (AD) group which simplifies the administration of user accounts in different domains by collating them and assigning ubiquitous access rights.
At a superficial level, these ADs are groupings of email addresses that are used to simplify the distribution of information via email. It’s much easier to send an email to a single email distribution list, instead of manually adding all the identities into the “To” field.
Take steps to improve identity hygiene
Beneath the surface, that single email distribution list can have hundreds, if not thousands, of identities as members. In addition to this potential weakness, there are often complexities in the ways these groups are created. For example, there may be a distribution list comprised of yet other distribution lists as members, often creating heavy group nesting structures, which makes it nearly impossible for the naked eye to gain truly accurate visibility into who are the effective members of any Active Directory group.
This problem often becomes compounded when organizations let end-users add identities themselves to distribution lists, outside of traditional security or identity access management (IAM) protocols. This results in an unnecessary number of individuals who receive emails, and sometimes the distributed information gets into the wrong hands, causing a major security event such as the Pentagon fiasco.
Mismanaged distribution lists are particularly problematic. Not only do they increase the risk of data breaches and insider threats, but they can also negatively impact productivity by sending irrelevant or unnecessary emails to users who don't need to see them. In addition, heavily-nested groups can create administrative overhead, making it difficult to manage user access.
That’s why organizations need to prioritize good identity hygiene by regularly reviewing and cleaning up their AD groups, especially their email distribution lists. This ongoing process includes removing inactive or irrelevant members, consolidating duplicated groups, and flattening heavily-nested structures. By doing so, organizations can prevent data leaks, reduce their attack surface, improve communication efficiency, and streamline access management processes.
Security teams can simplify reporting by automating the remediation process and resolving any access control challenges, thus securing critical data, privileged accounts, on-prem messaging, and other protected assets. There’s no getting around the need for email distribution lists to offer a widely-used capability in any email system, but organizations must focus on the management of the identities who are members of these groups – and they need to automate it. Just ask the U.S. Department of Defense.