Network World: 2017 breach predictions

In 2017, we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation

 

data-integrity-attacks-have-the-power-to-bring-down-an-entire-company-and-beyond

We’ve reached that time of year where everyone in the security industry is pulling together predictions for what we expect to see over the next year, and/or slowly backing away from any imperfect predictions we might have put forth the year before.

Last year, I offered up a number of predictions, but the one continuing to make huge waves in 2017 is around data integrity attacks. Quite simply, I expect that we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation.

Data integrity attacks are, of course, not entirely new. Data integrity is a promise or assurance that information can be accessed or modified only by authorised users. Data integrity attacks compromise that promise with the aim of gaining unauthorised access to modify data for a number of ulterior motives. It is the ultimate weaponisation of data.

A few classic examples include the 2008 case of Brazilian logging companies that accessed government systems to inflate logging quotas and the famous 2010 story on how the Stuxnet worm used very minor changes to attempt to destroy Iran’s nuclear program. In 2013, a Syrian group hacked into the Associated Press’ Twitter account and tweeted that President Obama had been injured in explosions at the White House. (That single tweet caused a 147-point drop in the Dow.)

Fast forward to 2015 when Anonymous began releasing financial reports exposing firms in the U.S. and China trying to cheat the stock market, in one case, damaging the brand reputation of REXLot Holdings, a games developer that had inflated its revenues. The same year, there was the JP Morgan Chase breach and subsequent attempt at market manipulation. Which leads us, of course, to 2016, with the World Anti-Doping Agency and Democratic National Committee breaches, both examples of how hackers are using data integrity attacks to embarrass organisations.

How will cyber attacks get worse?

What’s different now from last year’s prediction? Why will these attacks get worse? The first generation of cyber attacks were about cutting access to data, and then we moved on to data theft. Now, we’re starting to see evidence of that stolen data being altered before transition from one machine to another, effecting all elements of operations.

The proliferation of the Internet of Things (IoT) means hackers have a seemingly infinite number of different attack surfaces and personas that they can manipulate. Use your Fitbit as an example, and look at the number of people who touch it—the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. This creates a cross-pollination of risk that the security industry has not seen before, and that’s just one person’s “thing.”

Today’s connected world constantly generates mounds of data that businesses, industry pros and analysts use to drive decisions, make projections, issue forecasts and more.

Data integrity attacks have the power to bring down an entire company and beyond. Entire stock markets could be poisoned and collapsed by faulty data. The power grid and other IoT systems from traffic lights to the water supply could be severely disrupted if the data they run on were to be altered. And perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself. What’s at stake is trust. Decision-making by senior government officials, corporate executives, investors and average consumers will be impacted if they cannot trust the information they receive.

What you can do to protect data

At this point, you’re probably terrified—or morbidly depressed. Is there anything we can do? And the answer to that is yes. When I talk to the businesses we work with, one of the first questions I ask is, “What are you trying to protect?” If you don’t know what data you’re trying to protect, there is no point in spending money to protect it. It’s a straightforward enough question perhaps, but it isn’t very easy to answer. Despite this, working out an answer is one of the most fundamental things an organisation can do towards making itself secure. Last month’s blog, Securing the breach trumps breach prevention, detailed some additional tangible steps you can take.

Breaches will continue to happen—to expect otherwise would be unrealistic. But as their scale and complexity grows, focusing on them first would take up all of an organisation’s IT security bandwidth. A better starting point is to know what you are trying to protect.

This blog post also appears here in my regular blog for Network World.

Data breaches: This time it’s more personal

Data breaches have shifted from stolen credit card data and financial information to the theft of something much more intimate—identities

Summer 2016 was not a good time for data breaches.

First, news broke that the Democratic National Committee was hacked, leading to the resignation of DNC Chair Debbie Wasserman Schultz and driving a wedge between Democratic Party members.

 Later, the World Anti-Doping Agency (WADA) announced that Russian hackers had illegally accessed its Anti-Doping Administration and Management System (ADAMS) database, leaking confidential medical information for U.S. athletes, including Simone Biles and Serena Williams.

Then earlier this month, passwords, usernames, email addresses and other personal information was published for more than 2.2 million people who created accounts with ClixSense, a site that pays users for completing online surveys and viewing advertisements.

These were not the only breaches of the summer, nor were they the largest. However, each is a clear example of the changing face of data breaches and the rise of identity theft.

The rise of identity theft

What we have been seeing over the past two years is that data breaches have shifted from stolen credit card data and financial information to the theft of something much more intimate—identities. As a result, data breaches are becoming much more personal and the universe of risk exposure for people is widening.

In the case of the DNC and WADA breaches, sensitive data was leaked to publicly smear people. Contrast that with the IRS data breach involving more than 700,000 stolen Social Security numbers that resulted in thousands of false tax returns being filed. As companies, governments and other organizations collect ever-increasing amounts of customer information and as our online digital activities become more diverse and prolific, more data about what we do, who we are and what we like is at risk to be stolen from the companies that store our data.

Apathy abounds

So, why isn’t anyone paying attention? The truth is that despite today’s daily headlines about data breaches, the problem with cybersecurity is that there’s a lot of apathy regarding the issues. Consumers know their credit cards will be replaced and they will not be responsible for financial losses. Breached companies know their stock prices will rebound eventually, and government regulations are simply not a good prescription for security.

At this point the daily noise around data breaches is making it more difficult for consumers, government regulatory agencies and companies to distinguish between nuisance data breaches and truly impactful mega breaches. News reports fail to make these distinctions, but they are important to understand because each has different consequences. A breach involving 100 million user names is not as severe as a breach of 1 million accounts with Social Security numbers and other personally identifiable information that are used for financial gain.

In this post I stressed the need for organizations to create a “Secure Breach” environment to safeguard data. In this increasingly digital world where greater and greater amounts of data are being stored, managed and shared via the cloud and multiple (and unsecured) devices, it is clear that data breaches are going to happen. That is why companies need to shift from a total reliance on breach prevention to strategies that help them secure the breach once intruders get past network defenses.

That is why more focus needs to be on understanding what really constitutes sensitive data and where it is stored, and using the best means to defend it. At the end of the day, the best way to protect data is to kill it. That means ensuring sensitive data is protected with encryption so it is useless to the thieves.

Even though encryption is widely known, less than 4 percent of all data breaches this year involved data that was encrypted in part or in full, according to the Breach Level Index. This number has stayed more or less the same for the past several years, and that’s unacceptable.

While credit cards can be easily replaced and fraudulent charges covered, the damage from stolen identities and sensitive personal information is much longer lasting. So, what will that be the tipping point that moves companies to adopt a secure breach strategy? In my next blog, I’ll present some strategies for how companies can better defend data and secure the breach. In the meantime, let me know your thoughts in the comments.

( This post was also published on Network World.)