08:00 AM
John Moynihan
John Moynihan
Connect Directly
E-Mail vvv

Data Manipulation: An Imminent Threat

Critical industries are largely unprepared for a potential wave of destructive attacks.

An approaching cyber storm—one capable of unleashing unprecedented chaos—is looming on the horizon of the United States’ public and private sectors. Although experts warn that attackers are poised to launch sophisticated campaigns designed to manipulate financial, healthcare, and government data beyond recognition, our critical industries remain largely unprepared for these potentially destructive attacks.

To date, those capable of conducting malicious cyber operations have been intent upon stealing personal, health, education, and financial information and pilfering the precious intellectual property of leading defense, technology, and manufacturing corporations. Their motive: to spread chaos. At separate events in August, I listened as General Gregory Touhill, just named by the White House as the first federal chief information security officer, and Theresa Payton, a former White House CIO, cautioned that data manipulation attacks are coming. Assuredly, the cyber threat landscape is about to shift dramatically.

The following represents a simplified example of what a data manipulation attack might look like and the widespread disruption that could ensue.

Through the deployment of a stolen privileged user password, customized malware, or other form of cyber weaponry, an adversary is able to penetrate the network perimeter of a major financial institution. Because most organizations lack proper network segmentation, the hackers immediately proceed to the organization’s digital treasure chest: the customer database. Soon thereafter, the undetected visitors gain access to a database that houses the intricate details of 3 million mutual fund accounts.

Once inside the database, the electronic invaders begin to systematically alter the repository’s tables, resulting in cascading revisions to the numeric values of each account. The systematic manipulation is performed over a three-month period, coinciding with the issuance of quarterly statements, so that most customers won’t notice the problem until the attack is over and the culprits long gone. Further, given that the manipulation doesn’t occur on any specific date but conducted over several weeks, correcting the problem through a single system restore is impossible. The remediation process will require extensive and manual recalculation, verification, and testing.

Eventually, customers realize that the institution to which they’ve entrusted their financial futures has been hacked and their 401(k) accounts compromised. Regardless of the bank’s assurances that all funds are secure, customers panic when they’re told that it may take several months to determine the actual balance of their accounts and that all withdrawals may be suspended until the process is completed.

Consider the impact of similar data manipulation campaigns, conducted simultaneously, throughout the healthcare, government, manufacturing, and telecommunications sectors. Widespread chaos would be an understatement.

Who's Watching?
To those who assume that critical databases are well protected from this form of malice, the findings contained within a recent Osterman Research survey suggest otherwise. The research, which surveyed approximately 200 organizations with an average workforce of 22,000, reveals an astonishing lack of database oversight. Among the report’s most glaring statistics, 47% of respondents acknowledged that no individual or functional group is responsible for monitoring databases for unauthorized activity.

In other words, although many organizations maintain your personal information within databases, nearly half admit that they’re incapable of detecting unauthorized data access. This inexcusable situation exposes the personal information of many Americans to the imminent risk of theft and manipulation.

Although adopting a structured database security program is not an insurmountable task, it’s one that requires ongoing resource commitment and the support of executive management. Twenty years ago, at the direction of a forward-thinking senior manager, I implemented a public sector database security program. Without the benefit of the advanced solutions currently available, an innovative group of technology professionals and information security auditors developed an ongoing process to detect unauthorized database activity in a timely fashion. Throughout the 10 years that I managed this program, several unauthorized accesses were quickly identified and disrupted through this continuous monitoring process. If we could monitor databases for malicious activity back then, surely most can do so now.

The threat of a coordinated data manipulation campaign is a reality that has the potential to overwhelm critical industries and disrupt the economic and social fabric of the United States. Unfortunately, many organizations have yet to implement the basic safeguards necessary to swiftly detect this type of electronic attack and therefore remain totally unprepared to prevent the consequences. It’s time for those who maintain our most confidential data to take the steps necessary to protect against this emerging threat by deploying more robust detection measures and implementing an ongoing monitoring program.

Related Content:

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/16/2016 | 9:32:08 AM
Cyber security
More of the attacks are coming our way and we are here as ordinary cyber users doing nothing. It is high time to take up the issue and secure our connection from being tracked by deplying reliable vpn server like PureVPN which offer great services at minimal costs. They have encrypted online connections which is good for security. 
User Rank: Apprentice
9/13/2016 | 10:13:40 AM
The same will hit Internet of Things.
There is a big misconception about securing IoT systems: "who is interested in the data of this sensor?", for instance a temperature. Probably only the owner of the sensor. But this might not be the right question to ask. It should also include "can I trust that data?", especially if the temperature is measured to control something else automatically. Manipulating the temperature can destroy a steel mill furnace, or a shipment of deep-freezed fish. Just knowing that someone can take over your sensor also leaves you open to extortion schemes; "we want $$$ to NOT destroy your shipment, or plant".

Internet banking is built on trusting the user, the online bank and the transaction. An Internet of Things connected world requires the same level of trust to work.
Olaf Barheine
Olaf Barheine,
User Rank: Apprentice
9/12/2016 | 10:28:37 AM
What I do not understand...
It is everywhere the same, not only in the US. But I always wonder, what could be the reasons that companies are so unprepared? Is it because of the costs for security? Is it a lack of know-how? Do they still underestimate the threat of cyber attacks? Or what is it? I mean, the press is full of reports about successful cyber attacks. So everybody should know about the risks and take it serious.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Now, we come here to play Paw-ke Man Go!"
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...
PUBLISHED: 2019-01-20
The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows remote attackers to execute arbitrary code or cause a denial of service (block pool overflow) via malformed Wi-Fi packets during identification of available Wi-Fi networks. Exploitation of the Wi-Fi device can lead to exploitation of...
PUBLISHED: 2019-01-18
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
PUBLISHED: 2019-01-18
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.