Data Theft: It’s Not the Only Danger Hackers Wreak

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.enterprisetech.com/2015/10/15/data-theft-its-not-the-only-danger-hackers-wreak/

In the world of information security there is a concept known as threat
modeling. The idea is to look at a computer system and map out a set of
possible attacks to consider. One such possible attack is a scenario
whereby an attacker, upon successfully breaching an organization and then
locating their sensitive data, not simply steals a copy, but instead makes
changes to the data.

If we were to perform such a threat modeling exercise to an organization’s
sensitive data, not the entire system, what likely scenarios would be
damaging? An attacker attempting to manipulate stock prices for their gain
could locate a company’s sensitive financial data and make changes that
reflect even a small loss in revenue. Such an example of malicious data
manipulation would allow someone to profit from the resulting dip in stock
price. Another possible scenario: An attacker breaching a healthcare clinic
and manipulating patient data. Depending on the data manipulated, such an
event could lead to incorrect dosages being administered or to the
misdiagnosing of a serious health issue.

As I have just described, data manipulation occurring as part of a security
breach has far wider implications than simply losing a copy of sensitive
data to an attacker. The recent OPM breach that resulted in millions of
very sensitive personal information being exposed to an attacker could also
likely have been tampered with. Did the attackers settle on stealing
government secrets or was the real motive to undermine the integrity of a
massive amount of sensitive government data?

The logical question then becomes what can be done about it? Information
security as a practice is far from being in its infancy. It has long been
the mantra that we must maintain the Confidentiality, Integrity and
Availability of information. The so-called CIA Triad. Attacks that
manipulate sensitive data get right to the heart of the “I” in CIA,
integrity. So why do we feel so caught off guard by this?

One of the reasons likely has much to do with the sheer volume of data we
create and store. And the many places we store it; laptops, desktops,
servers, and cloud environments. The heavy reliance on access to our
sensitive data by many authorized individuals also means our sensitive data
footprints tend to grow beyond our security controls.

Once an attacker has gained unauthorized access to systems they have two
primary aims: escalate privileges and locate sensitive data. We have
already modeled what an attacker can do with our sensitive data — to secure
that data we first need to perform the same actions as the attacker. Locate
the sensitive data. All of it.

An examination of the Sony breach highlights just how much most
organizations do not know about where their sensitive data resides. There
were 601 files that contained Social Security numbers, 523 of which were
Excel spreadsheets. Over 3,000 of those Social Security numbers appeared in
more than 100 locations. This represents just a snapshot of their sensitive
data footprint. That large a footprint would challenge even the best
information security team.

Data manipulation is not simply poised to threaten the integrity of
sensitive data; it undermines the foundation of modern business. Our
ability to place the proper security controls on and around our data will
first begin with knowing all of the many places our data resides and
understanding what the data is. These are the pillars of a data security
program equipped to handle the growing threat of data manipulation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!