Data Manipulation: An Imminent Threat

Critical industries are largely unprepared for a potential wave of destructive attacks.

John Moynihan, President, Minuteman Governance

September 12, 2016

4 Min Read

An approaching cyber storm—one capable of unleashing unprecedented chaos—is looming on the horizon of the United States’ public and private sectors. Although experts warn that attackers are poised to launch sophisticated campaigns designed to manipulate financial, healthcare, and government data beyond recognition, our critical industries remain largely unprepared for these potentially destructive attacks.

To date, those capable of conducting malicious cyber operations have been intent upon stealing personal, health, education, and financial information and pilfering the precious intellectual property of leading defense, technology, and manufacturing corporations. Their motive: to spread chaos. At separate events in August, I listened as General Gregory Touhill, just named by the White House as the first federal chief information security officer, and Theresa Payton, a former White House CIO, cautioned that data manipulation attacks are coming. Assuredly, the cyber threat landscape is about to shift dramatically.

The following represents a simplified example of what a data manipulation attack might look like and the widespread disruption that could ensue.

Through the deployment of a stolen privileged user password, customized malware, or other form of cyber weaponry, an adversary is able to penetrate the network perimeter of a major financial institution. Because most organizations lack proper network segmentation, the hackers immediately proceed to the organization’s digital treasure chest: the customer database. Soon thereafter, the undetected visitors gain access to a database that houses the intricate details of 3 million mutual fund accounts.

Once inside the database, the electronic invaders begin to systematically alter the repository’s tables, resulting in cascading revisions to the numeric values of each account. The systematic manipulation is performed over a three-month period, coinciding with the issuance of quarterly statements, so that most customers won’t notice the problem until the attack is over and the culprits long gone. Further, given that the manipulation doesn’t occur on any specific date but conducted over several weeks, correcting the problem through a single system restore is impossible. The remediation process will require extensive and manual recalculation, verification, and testing.

Eventually, customers realize that the institution to which they’ve entrusted their financial futures has been hacked and their 401(k) accounts compromised. Regardless of the bank’s assurances that all funds are secure, customers panic when they’re told that it may take several months to determine the actual balance of their accounts and that all withdrawals may be suspended until the process is completed.

Consider the impact of similar data manipulation campaigns, conducted simultaneously, throughout the healthcare, government, manufacturing, and telecommunications sectors. Widespread chaos would be an understatement.

Who's Watching?
To those who assume that critical databases are well protected from this form of malice, the findings contained within a recent Osterman Research survey suggest otherwise. The research, which surveyed approximately 200 organizations with an average workforce of 22,000, reveals an astonishing lack of database oversight. Among the report’s most glaring statistics, 47% of respondents acknowledged that no individual or functional group is responsible for monitoring databases for unauthorized activity.

In other words, although many organizations maintain your personal information within databases, nearly half admit that they’re incapable of detecting unauthorized data access. This inexcusable situation exposes the personal information of many Americans to the imminent risk of theft and manipulation.

Although adopting a structured database security program is not an insurmountable task, it’s one that requires ongoing resource commitment and the support of executive management. Twenty years ago, at the direction of a forward-thinking senior manager, I implemented a public sector database security program. Without the benefit of the advanced solutions currently available, an innovative group of technology professionals and information security auditors developed an ongoing process to detect unauthorized database activity in a timely fashion. Throughout the 10 years that I managed this program, several unauthorized accesses were quickly identified and disrupted through this continuous monitoring process. If we could monitor databases for malicious activity back then, surely most can do so now.

The threat of a coordinated data manipulation campaign is a reality that has the potential to overwhelm critical industries and disrupt the economic and social fabric of the United States. Unfortunately, many organizations have yet to implement the basic safeguards necessary to swiftly detect this type of electronic attack and therefore remain totally unprepared to prevent the consequences. It’s time for those who maintain our most confidential data to take the steps necessary to protect against this emerging threat by deploying more robust detection measures and implementing an ongoing monitoring program.

Related Content:

About the Author(s)

John Moynihan

President, Minuteman Governance

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of Revenue from 1997-2008. He has published several articles, presents at major industry events and regularly provides media commentary on evolving cyber security issues.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights