Attacks/Breaches
9/12/2016
08:00 AM
John Moynihan
John Moynihan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Data Manipulation: An Imminent Threat

Critical industries are largely unprepared for a potential wave of destructive attacks.

An approaching cyber storm—one capable of unleashing unprecedented chaos—is looming on the horizon of the United States’ public and private sectors. Although experts warn that attackers are poised to launch sophisticated campaigns designed to manipulate financial, healthcare, and government data beyond recognition, our critical industries remain largely unprepared for these potentially destructive attacks.

To date, those capable of conducting malicious cyber operations have been intent upon stealing personal, health, education, and financial information and pilfering the precious intellectual property of leading defense, technology, and manufacturing corporations. Their motive: to spread chaos. At separate events in August, I listened as General Gregory Touhill, just named by the White House as the first federal chief information security officer, and Theresa Payton, a former White House CIO, cautioned that data manipulation attacks are coming. Assuredly, the cyber threat landscape is about to shift dramatically.

The following represents a simplified example of what a data manipulation attack might look like and the widespread disruption that could ensue.

Through the deployment of a stolen privileged user password, customized malware, or other form of cyber weaponry, an adversary is able to penetrate the network perimeter of a major financial institution. Because most organizations lack proper network segmentation, the hackers immediately proceed to the organization’s digital treasure chest: the customer database. Soon thereafter, the undetected visitors gain access to a database that houses the intricate details of 3 million mutual fund accounts.

Once inside the database, the electronic invaders begin to systematically alter the repository’s tables, resulting in cascading revisions to the numeric values of each account. The systematic manipulation is performed over a three-month period, coinciding with the issuance of quarterly statements, so that most customers won’t notice the problem until the attack is over and the culprits long gone. Further, given that the manipulation doesn’t occur on any specific date but conducted over several weeks, correcting the problem through a single system restore is impossible. The remediation process will require extensive and manual recalculation, verification, and testing.

Eventually, customers realize that the institution to which they’ve entrusted their financial futures has been hacked and their 401(k) accounts compromised. Regardless of the bank’s assurances that all funds are secure, customers panic when they’re told that it may take several months to determine the actual balance of their accounts and that all withdrawals may be suspended until the process is completed.

Consider the impact of similar data manipulation campaigns, conducted simultaneously, throughout the healthcare, government, manufacturing, and telecommunications sectors. Widespread chaos would be an understatement.

Who's Watching?
To those who assume that critical databases are well protected from this form of malice, the findings contained within a recent Osterman Research survey suggest otherwise. The research, which surveyed approximately 200 organizations with an average workforce of 22,000, reveals an astonishing lack of database oversight. Among the report’s most glaring statistics, 47% of respondents acknowledged that no individual or functional group is responsible for monitoring databases for unauthorized activity.

In other words, although many organizations maintain your personal information within databases, nearly half admit that they’re incapable of detecting unauthorized data access. This inexcusable situation exposes the personal information of many Americans to the imminent risk of theft and manipulation.

Although adopting a structured database security program is not an insurmountable task, it’s one that requires ongoing resource commitment and the support of executive management. Twenty years ago, at the direction of a forward-thinking senior manager, I implemented a public sector database security program. Without the benefit of the advanced solutions currently available, an innovative group of technology professionals and information security auditors developed an ongoing process to detect unauthorized database activity in a timely fashion. Throughout the 10 years that I managed this program, several unauthorized accesses were quickly identified and disrupted through this continuous monitoring process. If we could monitor databases for malicious activity back then, surely most can do so now.

The threat of a coordinated data manipulation campaign is a reality that has the potential to overwhelm critical industries and disrupt the economic and social fabric of the United States. Unfortunately, many organizations have yet to implement the basic safeguards necessary to swiftly detect this type of electronic attack and therefore remain totally unprepared to prevent the consequences. It’s time for those who maintain our most confidential data to take the steps necessary to protect against this emerging threat by deploying more robust detection measures and implementing an ongoing monitoring program.

Related Content:

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
11/16/2016 | 9:32:08 AM
Cyber security
More of the attacks are coming our way and we are here as ordinary cyber users doing nothing. It is high time to take up the issue and secure our connection from being tracked by deplying reliable vpn server like PureVPN which offer great services at minimal costs. They have encrypted online connections which is good for security. 
apptifred
50%
50%
apptifred,
User Rank: Apprentice
9/13/2016 | 10:13:40 AM
The same will hit Internet of Things.
There is a big misconception about securing IoT systems: "who is interested in the data of this sensor?", for instance a temperature. Probably only the owner of the sensor. But this might not be the right question to ask. It should also include "can I trust that data?", especially if the temperature is measured to control something else automatically. Manipulating the temperature can destroy a steel mill furnace, or a shipment of deep-freezed fish. Just knowing that someone can take over your sensor also leaves you open to extortion schemes; "we want $$$ to NOT destroy your shipment, or plant".

Internet banking is built on trusting the user, the online bank and the transaction. An Internet of Things connected world requires the same level of trust to work.
Olaf Barheine
50%
50%
Olaf Barheine,
User Rank: Apprentice
9/12/2016 | 10:28:37 AM
What I do not understand...
It is everywhere the same, not only in the US. But I always wonder, what could be the reasons that companies are so unprepared? Is it because of the costs for security? Is it a lack of know-how? Do they still underestimate the threat of cyber attacks? Or what is it? I mean, the press is full of reports about successful cyber attacks. So everybody should know about the risks and take it serious.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.