When trust fails, thieves rush in
RSA 2016 For years, the security industry has been primarily focused on stopping data theft, but more and more people in the trade are worried that the next wave of attacks won’t steal data, but alter it instead.
On Tuesday, the head of the NSA named data manipulation as one of his top three nightmares, and other vendors are agreeing with him.
Caleb Barlow, VP at IBM Security, told The Reg that the firm is already seeing the first signs of this kind of attack and the potential problems could be huge.
On a basic level, this could be as simple as adjusting credit scores or college grades, but there’s not a lot of money in that. When you’re dealing with bank or retirement accounts the situation is more lucrative, but Barlow thinks the biggest score is market manipulation.
“Think of all the things you can manipulate if the data is different,” he said. “Changing a company’s figures could make them make decisions that would affect the stock price.
If the attacker than shorts the stock, or buys expecting a rise, then any funds earned will be totally laundered, without having to worry about Bitcoins or money mules.”
The problem with such data manipulation, from an end-user’s perspective, is that we have grown so used to trusting data that convincing the company that’s been hit that there’s a problem may be very difficult.
This was bought home when an IBM employee had his medical records altered so that the attacker could get a $20,000 operation on his account.
The employee had to physically go to the insurance firm and take off his shirt to show no operation had taken place.
To counter this, companies need to get a lot tighter on using encryption to ensure data security, he said.
Strong crypto is going to be vital to protect data.
In the meantime, keep paper records for everything. ®
Sponsored: DevOps: hidden risks and how to achieve results