Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/3/2017
10:00 AM
Mike Baukes
Mike Baukes
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Problem with Data

The sheer amount of data that organizations collect makes it both extremely valuable and dangerous. Business leaders must do everything possible to keep it safe.

People once thought that if it were possible to know every detail about the physical universe, the future would be completely predictable. The idea that our limited knowledge prevents us from fully understanding the world, and thus being able to fix it, has been around as long as civilization. As summed up in a cliché both empty and profound: knowledge is power. Not intelligence, not any of the creative aspects of the mind, but raw data itself.

1 Breach, 198 Million People
In 2017, this belief most clearly manifests in predictive analytics and other fields of big data analysis. On June 19, the Cyber Risk Team at UpGuard uncovered an unsecured Amazon S3 storage instance with the voter data of 198 million Americans. That's more than half the people in the country. The privacy implications of the data are self-evident, but more important is what the data reveals about how analytic techniques are used to define people as targets, for any type of persuasive intrusion.

The other important thing to note about the voter data leak is the size of the data set: 198 million individuals represented across more than a terabyte of highly researched data. The size of the RNC data set makes it incredibly valuable. That's why analytics companies exist and how they make money. Organizations from candy manufacturers to political parties want to use data analytics to reach more people with more accurate messaging. This is because these organizations are invested parties that make money from selling candy, or that gain power from winning elections. Their ability to persuade people to their side determines their success. The type of data discovered in the RNC leak is designed specifically to enable that persuasion.

If this model seems familiar, that's because social media and tech companies use these techniques in advertising. They provide a platform that people want to use, and then take the information provided by their customers to advertise back at them in a voice they're more likely to heed. In the case of the RNC, the data was used to determine what to say to different people in order to get the most votes.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 Email phishing is one of the most successful cyber attacks being employed now. The most sophisticated of these are spearphishing attacks, such as the one against Hillary Clinton campaign chairman John Podesta that allowed hackers to access DNC emails. Spearphishing relies on information gathering to determine how to trick the target into clicking on a malicious link or attachment. Now imagine that spearphishers could use the advanced data of a leaked political strategy to craft their emails. It would make an already dangerous threat much more effective.

The Information Economy
The lesson here is that your information matters. Companies trade on your information daily, shipping huge data sets to third parties through various types of infrastructure, some more secure than others. The information economy is booming — every vector of capturing data is being utilized or soon will be. The Internet of Things promises to make life easier through interconnection, but it also adds devices that capture metrics on your daily life, reporting them to the manufacturer. We've seen this in everything from devices like Vizio TVs to apps like Facebook, where the line between lawful data analysis and privacy invasion is blurry.

Ultimately, the information economy has two faces. The customer-facing side is about ease of use shareability, and all the other go-to descriptions for apps and gadgets that tie back to the Internet. These aspects allow the customer to receive a personalized experience. The obverse is the business side, where devices, websites, and apps collect metrics, analyze customer habits, and predict behavior.

Who Controls the Past Controls the Future
Analytic techniques wouldn't be any good if they weren't predictive. Knowledge is power because knowing about the past enables better decisions in the present to achieve desired outcomes in the future. At the RNC, not only were insights drawn from the data set, but also into the data set, with several fields, including race and religion, being modeled, or predicted as probable. Further analysis can incorporate this modeled data and churn out even more predictive data.

Future innovations will provide more functionality for people, but they will also bring attendant risks and place more personal information in the hands of private companies. Data sets will grow larger and analytic capacity will increase, trying to reach the goal of perfectly knowing every individual through a highly scrutinized matrix of information in order to customize offers down to every man, woman, and child.

Information Matters
This is why information matters and why data breaches matter. The companies that handle information know how valuable it is — that's how they make money. The companies that outsource analytics know how valuable it is — that's why they pay millions for it. But when it comes to the day-to-day IT operations that gather, move, store, manipulate, and copy that data, it's often treated as if it had no value at all. And when valuable data falls into the wrong hands, it becomes a big problem for the organization and its clients.

It would be nice if we could flip a switch that would solve this problem, but it's a situation created from the sum total of data, processes, and assets within each digital organization and the vendors they employ. In a complex ecosystem of constant change, the daily work of IT operations is grueling and often thankless, especially at the largest scale.

Protecting a large organization and the people whose information it holds comes down to standardizing and improving this day-to-day work and continuously testing it to make sure it's right. It requires all business leaders to treat IT as they would any other critical piece of the company: by integrating it strategically and seriously accounting for its risks. If data-driven analysis is going to guide business for the foreseeable future, those making money from using it must do what is necessary to prevent that data from being exposed.

Related Content:

Mike Baukes is co-founder and co-CEO of UpGuard, a cyber resilience company based in Mountain View, California. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Octerain
100%
0%
Octerain,
User Rank: Strategist
7/5/2017 | 2:30:13 AM
The value of YOUR data
Most companies record the assets and liabilities and account for these on an annual basis. Desks, chairs, machinery, equipment and all things mobile and nonremovable are recorded as assets. It becomes part of the net value of the company. 

Today we have spindles that host some of the most valuable assets, but this didgital represenation of assets never gets valued the same as stock or inventory. We therefore need a thought change about what are the intangible assets and how we value that so that we can afford it the proper protection.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0828
PUBLISHED: 2020-02-21
Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BM...
CVE-2012-0844
PUBLISHED: 2020-02-21
Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.
CVE-2013-3587
PUBLISHED: 2020-02-21
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses...
CVE-2012-6277
PUBLISHED: 2020-02-21
Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8....
CVE-2012-0063
PUBLISHED: 2020-02-21
Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.