Virtualization and Cloud executives share their predictions for 2017. Read them in this 9th annual VMblog.com series exclusive.
Contributed by Jason Hart, Vice President and CTO for Data Protection, Gemalto
2017 Predictions: The Breach that Breaks the Camel's Back
It's December,
the final month of the year where we both reflect and look forward, and
it will probably come as no surprise that I want to talk about data
breaches again. In 2014, I predicted we would start taking data breaches more seriously, and last year, I talked about how I
expected to see an uptick in targeted attacks on personal and
intellectual property data - the types of breaches where attackers are
not just targeting data for its immediate value, but for potential
future value as well. In 2017, I expect that we'll see more precise and
complex data integrity attacks for both financial gain and/or to
embarrass victims, and we'll see one large attack that demonstrates the
true pain of this type of attack. And I expect it will be in the type of
industry or organization that shrugs and asks, "why would hackers
target us?"
Data integrity
attacks are not entirely new, nor do they have to be "big" to cause
serious damage, but they do represent the ultimate weaponization of
data. Instead of trying to steal large amounts of sensitive data,
hackers instead focus on changing specific parts of transactions or
information, or strategically leak the information obtained (think of
Wikileaks and Hillary Clinton's emails this past summer), to gain a
financial or political foothold. For example, the Stuxnet worm allowed
hackers to make very minor changes that had a major impact on Iran's
nuclear program. Similarly, hackers used the same process to attack
large banks including JP Morgan, giving them an in-depth understanding
of how internal operations worked. In late 2015, many suspected that
the attack on Ukraine's power grid was the result of ongoing political
disagreements with Russia, and the same could said for early 2016 when
Israel's electricity authority was hit by ransomware. Later this year,
the World Anti-Doping Agency and Democratic National Committee breaches
demonstrated how data can be manipulated to embarrass organizations.
So why do I think
data integrity attacks will ramp up during the coming 12 months and
continue over the next few years? The proliferation of the Internet of
Things (IoT) means that hackers have a seemingly-infinite number of
different attack surfaces and personas that they can manipulate. We are
also using data that is being generated as an input to make business
decisions. Decision-making by senior government officials, corporate
executives, investors and average consumers about everything from
investment decisions to which traffic signals you should obey will be
impacted if they cannot trust the information they are receiving.
Before you pack
your doomsday prep kit, there are some positive signs. Over the past few
years, my conversations with customers have shifted from how to prevent
breaches to how to protect DATA. Organizations have started to
understand that breaches are not going away and that attack surfaces are
constantly evolving. When I talk to the businesses we work with, one
of the first questions I ask is, "What are you trying to protect?"
Without understanding what data you're trying to protect, there is no
point in spending money to protect it.
Companies need to
start with a data centric approach to security, because it is the data
hackers are often targeting. While data mapping is important to help
create a better understanding of threats, another concern is users and
devices. We have found this year that personal and workplace identities
are converging at an alarming rate. A recent survey revealed
that 90% of enterprise IT professionals are concerned that employee
reuse of personal credentials for work purposes could compromise
security, but two thirds (68%) still say they would be comfortable
allowing employees to use their social media credentials on company
resources. It is an interesting juxtaposition for companies to be
concerned about the reuse of personal credentials, yet allow access to
company resources with third-party social sites.
All of these
factors, IoT, lack of two factor authentication, third-party security
risks and unencrypted data, compound the risk of large scale data
integrity attacks. We are just seeing the beginnings of these types of
attacks. Take for example during this year's U.S. election and the
government and media debate around Russia's state-sponsored attacks to
manipulate political decisions. Protecting the integrity of the data we
consume will become even more crucial as more of our information takes
to the digital channels.
##