Data integrity breaches are set to send shockwaves throughout the world in 2017, with at least one almighty breach disclosure of this type expected next year, according to Jason Hart, CTO Data Protection, Gemalto.
Data integrity is a promise or assurance that information can be accessed or modified only by authorised users. Data integrity attacks compromise that promise, with the aim of gaining unauthorised access to modify data for a number of ulterior motives, such as financial or reputational.
“Data integrity attacks are, of course, nothing new, yet they remain under the radar of businesses who have an ever increasing reliance on data and make huge business decisions based on its analysis. These types of attacks are what I like to call the ultimate weaponisation of data,” said Hart.
The first generation of cyber attacks focused on stopping access to the data, which quickly moved on to stealing it. Today, we’re starting see to more and more evidence that the stolen data is being altered before transition, effecting all elements of operations. With the increasing uptake of the Internet of Things, hackers have more attack surfaces and personas that they can manipulate.
Take a wearable fitness device such as the Fitbit for example, and look at the number of different people that touch it – the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. You can start to see how this can create a cross pollination of risk that the security industry has not seen before. And, this is just a personal “thing”, so when you take account of all the things that are connected to critical and national infrastructures, you can start to see how this can quickly get out of hand.
“It’s scary, but data integrity attacks have the power to bring down an entire company and beyond; entire stock markets could be poisoned and collapsed by faulty data; the power grid and other IoT systems from traffic lights to the water supply could be severely disrupted if the data they run on were to be altered. And perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself,” according to Hart.
Data integrity breaches
- 2008 – Hackers infiltrate the Brazilian governments systems and inflate the logging quotas to disrupt logging industry
- 2010 – Hackers use the Stuxnet Worm to make minor changes in Iran’s nuclear power programme in an attempt to destroy it
- 2013 – A Syrian group hacked into the Associated Press’ Twitter account and tweeted that President Obama had been injured in explosions at the White House – the single tweet caused a 147-point drop in the Dow
- 2015 – Anonymous begin releasing financial reports exposing firms in the US and China trying to cheat the stock market. In one case, damaging the brand reputation of REXLot Holdings, a games developer, which had inflated its revenues
- 2015 – JP Morgan Chase was breached with subsequent attempts at market manipulation
- 2016 – Both the World Anti-Doping Agency and Democratic National Committee are breached with hackers manipulating their data to embarrass the organisations.
Top tips for businesses
1. Understand your data – In order for a business to protect itself, it should first conduct a data sweep to understand what data it has collected or produced and where the most sensitive parts of that data sit. It’s crucial for businesses to understand what they are trying to protect before they can even think about how to protect it.
2. Two-factor authentication – An organisation’s next step should be to focus on the adoption of strong two-factor authentication, which provides that extra layer of security should user IDs or passwords become compromised.
3. Encryption – While two-factor authentication is there to help to stop information being taken in the first place, encryption provides the layer to stop customers’ sensitive data being used if it is accessed. Companies need to utilise encryption to protect this data wherever it is found, that’s a given. Whether this be on-premise, virtual, public cloud, or hybrid environments. More importantly, the traditional data security mind-set has to evolve, with companies needing to approach it with a presumption that perimeters will be breached and, as such, prepare the correct encryption necessary, to protect the most vital aspect, the data.
4. Key management – Once a proper encryption strategy is in place, attention must switch to strong management of the encryption keys. Encryption is only as good as the key management strategy employed, and companies must ensure they are kept safe through steps like storing them in hardware modules to prevent them being hacked. After all, it’s no good having the best locks on your house and then leaving the house keys under the mat for any passing opportunist burglar to pick up!
5. Education – In order to build trust, companies need to educate their workforce and their consumers on the steps they have taken to protect their data. And it doesn’t just end there. Businesses need to employ a two-pronged approach, educating their employees and consumers on the steps they should also be taking to remain safe and protect their personal data themselves, which leads to them understanding how to protect the company’s data.