Data Theft: It’s Not the Only Danger Hackers Wreak
In the world of information security there is a concept known as threat modeling. The idea is to look at a computer system and map out a set of possible attacks to consider. One such possible attack is a scenario whereby an attacker, upon successfully breaching an organization and then locating their sensitive data, not simply steals a copy, but instead makes changes to the data.
If we were to perform such a threat modeling exercise to an organization’s sensitive data, not the entire system, what likely scenarios would be damaging? An attacker attempting to manipulate stock prices for their gain could locate a company’s sensitive financial data and make changes that reflect even a small loss in revenue. Such an example of malicious data manipulation would allow someone to profit from the resulting dip in stock price. Another possible scenario: An attacker breaching a healthcare clinic and manipulating patient data. Depending on the data manipulated, such an event could lead to incorrect dosages being administered or to the misdiagnosing of a serious health issue.
As I have just described, data manipulation occurring as part of a security breach has far wider implications than simply losing a copy of sensitive data to an attacker. The recent OPM breach that resulted in millions of very sensitive personal information being exposed to an attacker could also likely have been tampered with. Did the attackers settle on stealing government secrets or was the real motive to undermine the integrity of a massive amount of sensitive government data?
The logical question then becomes what can be done about it? Information security as a practice is far from being in its infancy. It has long been the mantra that we must maintain the Confidentiality, Integrity and Availability of information. The so-called CIA Triad. Attacks that manipulate sensitive data get right to the heart of the “I” in CIA, integrity. So why do we feel so caught off guard by this?
One of the reasons likely has much to do with the sheer volume of data we create and store. And the many places we store it; laptops, desktops, servers, and cloud environments. The heavy reliance on access to our sensitive data by many authorized individuals also means our sensitive data footprints tend to grow beyond our security controls.
Once an attacker has gained unauthorized access to systems they have two primary aims: escalate privileges and locate sensitive data. We have already modeled what an attacker can do with our sensitive data — to secure that data we first need to perform the same actions as the attacker. Locate the sensitive data. All of it.
An examination of the Sony breach highlights just how much most organizations do not know about where their sensitive data resides. There were 601 files that contained Social Security numbers, 523 of which were Excel spreadsheets. Over 3,000 of those Social Security numbers appeared in more than 100 locations. This represents just a snapshot of their sensitive data footprint. That large a footprint would challenge even the best information security team.
Data manipulation is not simply poised to threaten the integrity of sensitive data; it undermines the foundation of modern business. Our ability to place the proper security controls on and around our data will first begin with knowing all of the many places our data resides and understanding what the data is. These are the pillars of a data security program equipped to handle the growing threat of data manipulation.
About the Author:
As chief executive officer, Todd Feinman has transformed Identity Finder into a leader in sensitive data management by helping businesses manage enterprise data and prevent data leakage. He has over fifteen years of experience in the security industry and is an internationally published author and media personality. He wrote Microsoft’s own reference book on securing Windows and McGraw Hill’s university textbook on managing the risks of electronic commerce. Recently he has appeared on many television and radio shows including the Today Show, Martha Stewart, and Good Morning America. He has written dozens of articles and presented at numerous global conferences on the topics of sensitive data management, data leakage, security, and privacy.
Todd spent ten years at PricewaterhouseCoopers, where he started as an ethical hacker breaking through the IT security of Fortune 100 companies and later took the role of Director to grow their vulnerability management consulting practice. Todd also worked as a product manager for Microsoft in their enterprise server group and was the CIO of an energy retailer in NYC. Todd has a Master in Business Administration from Harvard Business School and a Bachelor of Science from Lehigh University. Follow the company @IdentityFinder.