[BreachExchange] 2017 breach predictions: The big one is inevitable
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Nov 15 19:53:04 EST 2016
http://www.networkworld.com/article/3141468/security/2017-
breach-predictions-the-big-one-is-inevitable.html
We’ve reached that time of year where everyone in the security industry is
pulling together predictions for what we expect to see over the next year,
and/or slowly backing away from any imperfect predictions we might have put
forth the year before.
Last year, I offered up a number of predictions, but the one continuing to
make huge waves in 2017 is around data integrity attacks. Quite simply, I
expect that we’ll see more intricate, complex and undetected data integrity
attacks and for two main reasons: financial gain and/or political
manipulation.
Data integrity attacks are, of course, not entirely new. Data integrity is
a promise or assurance that information can be accessed or modified only by
authorized users. Data integrity attacks compromise that promise with the
aim of gaining unauthorized access to modify data for a number of ulterior
motives. It is the ultimate weaponization of data.
A few classic examples include the 2008 case of Brazilian logging companies
that accessed government systems to inflate logging quotas and the famous
2010 story on how the Stuxnet worm used very minor changes to attempt to
destroy Iran's nuclear program. In 2013, a Syrian group hacked into the
Associated Press' Twitter account and tweeted that President Obama had been
injured in explosions at the White House. (That single tweet caused a
147-point drop in the Dow.)
Fast forward to 2015 when Anonymous began releasing financial reports
exposing firms in the U.S. and China trying to cheat the stock market, in
one case, damaging the brand reputation of REXLot Holdings, a games
developer that had inflated its revenues. The same year, there was the JP
Morgan Chase breach and subsequent attempt at market manipulation. Which
leads us, of course, to 2016, with the World Anti-Doping Agency and
Democratic National Committee breaches, both examples of how hackers are
using data integrity attacks to embarrass organizations.
How will cyber attacks get worse?
What’s different now from last year’s prediction? Why will these attacks
get worse? The first generation of cyber attacks were about cutting access
to data, and then we moved on to data theft. Now, we’re starting to see
evidence of that stolen data being altered before transition from one
machine to another, effecting all elements of operations.
The proliferation of the Internet of Things (IoT) means hackers have a
seemingly infinite number of different attack surfaces and personas that
they can manipulate. Use your Fitbit as an example, and look at the number
of people who touch it—the user, the manufacturer, the cloud provider
hosting the IT infrastructure, the third parties accessing it via an API,
etc. This creates a cross-pollination of risk that the security industry
has not seen before, and that’s just one person’s “thing.”
Today's connected world constantly generates mounds of data that
businesses, industry pros and analysts use to drive decisions, make
projections, issue forecasts and more.
Data integrity attacks have the power to bring down an entire company and
beyond. Entire stock markets could be poisoned and collapsed by faulty
data. The power grid and other IoT systems from traffic lights to the water
supply could be severely disrupted if the data they run on were to be
altered. And perhaps the greatest danger is that many of these could go
undetected for years before the true damage reveals itself. What’s at stake
is trust. Decision-making by senior government officials, corporate
executives, investors and average consumers will be impacted if they cannot
trust the information they receive.
What you can do to protect data
At this point, you’re probably terrified—or morbidly depressed. Is there
anything we can do? And the answer to that is yes. When I talk to the
businesses we work with, one of the first questions I ask is, “What are you
trying to protect?” If you don’t know what data you’re trying to protect,
there is no point in spending money to protect it. It’s a straightforward
enough question perhaps, but it isn’t very easy to answer. Despite this,
working out an answer is one of the most fundamental things an organization
can do towards making itself secure. Last month’s blog, Securing the breach
trumps breach prevention, detailed some additional tangible steps you can
take.
Breaches will continue to happen—to expect otherwise would be unrealistic.
But as their scale and complexity grows, focusing on them first would take
up all of an organization’s IT security bandwidth. A better starting point
is to know what you are trying to protect.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161115/79d4ebe7/attachment.html>
More information about the BreachExchange
mailing list