Attacks/Breaches

7/3/2017
10:00 AM
Mike Baukes
Mike Baukes
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Problem with Data

The sheer amount of data that organizations collect makes it both extremely valuable and dangerous. Business leaders must do everything possible to keep it safe.

People once thought that if it were possible to know every detail about the physical universe, the future would be completely predictable. The idea that our limited knowledge prevents us from fully understanding the world, and thus being able to fix it, has been around as long as civilization. As summed up in a cliché both empty and profound: knowledge is power. Not intelligence, not any of the creative aspects of the mind, but raw data itself.

1 Breach, 198 Million People
In 2017, this belief most clearly manifests in predictive analytics and other fields of big data analysis. On June 19, the Cyber Risk Team at UpGuard uncovered an unsecured Amazon S3 storage instance with the voter data of 198 million Americans. That's more than half the people in the country. The privacy implications of the data are self-evident, but more important is what the data reveals about how analytic techniques are used to define people as targets, for any type of persuasive intrusion.

The other important thing to note about the voter data leak is the size of the data set: 198 million individuals represented across more than a terabyte of highly researched data. The size of the RNC data set makes it incredibly valuable. That's why analytics companies exist and how they make money. Organizations from candy manufacturers to political parties want to use data analytics to reach more people with more accurate messaging. This is because these organizations are invested parties that make money from selling candy, or that gain power from winning elections. Their ability to persuade people to their side determines their success. The type of data discovered in the RNC leak is designed specifically to enable that persuasion.

If this model seems familiar, that's because social media and tech companies use these techniques in advertising. They provide a platform that people want to use, and then take the information provided by their customers to advertise back at them in a voice they're more likely to heed. In the case of the RNC, the data was used to determine what to say to different people in order to get the most votes.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 Email phishing is one of the most successful cyber attacks being employed now. The most sophisticated of these are spearphishing attacks, such as the one against Hillary Clinton campaign chairman John Podesta that allowed hackers to access DNC emails. Spearphishing relies on information gathering to determine how to trick the target into clicking on a malicious link or attachment. Now imagine that spearphishers could use the advanced data of a leaked political strategy to craft their emails. It would make an already dangerous threat much more effective.

The Information Economy
The lesson here is that your information matters. Companies trade on your information daily, shipping huge data sets to third parties through various types of infrastructure, some more secure than others. The information economy is booming — every vector of capturing data is being utilized or soon will be. The Internet of Things promises to make life easier through interconnection, but it also adds devices that capture metrics on your daily life, reporting them to the manufacturer. We've seen this in everything from devices like Vizio TVs to apps like Facebook, where the line between lawful data analysis and privacy invasion is blurry.

Ultimately, the information economy has two faces. The customer-facing side is about ease of use shareability, and all the other go-to descriptions for apps and gadgets that tie back to the Internet. These aspects allow the customer to receive a personalized experience. The obverse is the business side, where devices, websites, and apps collect metrics, analyze customer habits, and predict behavior.

Who Controls the Past Controls the Future
Analytic techniques wouldn't be any good if they weren't predictive. Knowledge is power because knowing about the past enables better decisions in the present to achieve desired outcomes in the future. At the RNC, not only were insights drawn from the data set, but also into the data set, with several fields, including race and religion, being modeled, or predicted as probable. Further analysis can incorporate this modeled data and churn out even more predictive data.

Future innovations will provide more functionality for people, but they will also bring attendant risks and place more personal information in the hands of private companies. Data sets will grow larger and analytic capacity will increase, trying to reach the goal of perfectly knowing every individual through a highly scrutinized matrix of information in order to customize offers down to every man, woman, and child.

Information Matters
This is why information matters and why data breaches matter. The companies that handle information know how valuable it is — that's how they make money. The companies that outsource analytics know how valuable it is — that's why they pay millions for it. But when it comes to the day-to-day IT operations that gather, move, store, manipulate, and copy that data, it's often treated as if it had no value at all. And when valuable data falls into the wrong hands, it becomes a big problem for the organization and its clients.

It would be nice if we could flip a switch that would solve this problem, but it's a situation created from the sum total of data, processes, and assets within each digital organization and the vendors they employ. In a complex ecosystem of constant change, the daily work of IT operations is grueling and often thankless, especially at the largest scale.

Protecting a large organization and the people whose information it holds comes down to standardizing and improving this day-to-day work and continuously testing it to make sure it's right. It requires all business leaders to treat IT as they would any other critical piece of the company: by integrating it strategically and seriously accounting for its risks. If data-driven analysis is going to guide business for the foreseeable future, those making money from using it must do what is necessary to prevent that data from being exposed.

Related Content:

Mike Baukes is co-founder and co-CEO of UpGuard, a cyber resilience company based in Mountain View, California. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Octerain
100%
0%
Octerain,
User Rank: Apprentice
7/5/2017 | 2:30:13 AM
The value of YOUR data
Most companies record the assets and liabilities and account for these on an annual basis. Desks, chairs, machinery, equipment and all things mobile and nonremovable are recorded as assets. It becomes part of the net value of the company. 

Today we have spindles that host some of the most valuable assets, but this didgital represenation of assets never gets valued the same as stock or inventory. We therefore need a thought change about what are the intangible assets and how we value that so that we can afford it the proper protection.
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.