It’s December, the final month of the year where we both reflect and look forward, and it will probably come as no surprise that I want to talk about data breaches again.
In 2014, I predicted we would start taking data breaches more seriously, and last year, I talked about how I expected to see an uptick in targeted attacks on personal and intellectual property data – the types of breaches where attackers are not just targeting data for its immediate value, but for potential future value as well. In 2017, I expect that we’ll see more precise and complex data integrity attacks for both financial gain and/or to embarrass victims, and we’ll see one large attack that demonstrates the true pain of this type of attack. And I expect it will be in the type of industry or organization that shrugs and asks, “why would hackers target us?”
Data integrity attacks are not entirely new, nor do they have to be “big” to cause serious damage, but they do represent the ultimate weaponization of data. Instead of trying to steal large amounts of sensitive data, hackers instead focus on changing specific parts of transactions or information, or strategically leak the information obtained (think of Wikileaks and Hillary Clinton’s emails this past summer), to gain a financial or political foothold. For example, the Stuxnet worm allowed hackers to make very minor changes that had a major impact on Iran’s nuclear program. Similarly, hackers used the same process to attack large banks including JP Morgan, giving them an in-depth understanding of how internal operations worked. In late 2015, many suspected that the attack on Ukraine’s power grid was the result of ongoing political disagreements with Russia, and the same could said for early 2016 when Israel’s electricity authority was hit by ransomware. Later this year, the World Anti-Doping Agency and Democratic National Committee breaches demonstrated how data can be manipulated to embarrass organizations.
So why do I think data integrity attacks will ramp up during the coming 12 months and continue over the next few years? The proliferation of the Internet of Things (IoT) means that hackers have a seemingly-infinite number of different attack surfaces and personas that they can manipulate. We are also using data that is being generated as an input to make business decisions. Decision-making by senior government officials, corporate executives, investors and average consumers about everything from investment decisions to which traffic signals you should obey will be impacted if they cannot trust the information they are receiving.
Before you pack your doomsday prep kit, there are some positive signs. Over the past few years, my conversations with customers have shifted from how to prevent breaches to how to protect DATA. Organizations have started to understand that breaches are not going away and that attack surfaces are constantly evolving. When I talk to the businesses we work with, one of the first questions I ask is, “What are you trying to protect?” Without understanding what data you’re trying to protect, there is no point in spending money to protect it.
Companies need to start with a data centric approach to security, because it is the data hackers are often targeting. While data mapping is important to help create a better understanding of threats, another concern is users and devices. We have found this year that personal and workplace identities are converging at an alarming rate. A recent survey revealed that 90% of enterprise IT professionals are concerned that employee reuse of personal credentials for work purposes could compromise security, but two thirds (68%) still say they would be comfortable allowing employees to use their social media credentials on company resources. It is an interesting juxtaposition for companies to be concerned about the reuse of personal credentials, yet allow access to company resources with third-party social sites.
All of these factors, IoT, lack of two factor authentication, third-party security risks and unencrypted data, compound the risk of large scale data integrity attacks. We are just seeing the beginnings of these types of attacks. Take for example during this year’s U.S. election and the government and media debate around Russia’s state-sponsored attacks to manipulate political decisions. Protecting the integrity of the data we consume will become even more crucial as more of our information takes to the digital channels.
This article originally appeared as a contributed blog post on the VMBlog.com here.