You go into the police station to get fingerprinted for a routine background check. The police run the prints, compare them to their database, and in an instant guns are drawn on you as you're being handcuffed and dragged to jail on murder charges. Sound impossible?
There's been a lot of data breaches lately, and the numbers seem to be constantly increasing. From the high profile attacks against the likes of Ashley Madison and Sony Pictures, to the lesser known breaches like Kmart Australia and Systema Software, it's practically becoming routine to read a headline that says, "Company X breached; data on millions of users stolen," and there doesn't appear to be a way to stem the tide.
But what if I told you that these breaches are better than what we're likely to see in the future?
There are three basic tenants in IT security: Confidentiality, Integrity, and Availability, otherwise known as the CIA triad. Two of the terms are straight forward: When talking about availability, we're referring to users being able to access a service when they want to, while confidentiality refers to keeping private data private. The last tenant, integrity, is one we don't hear about very often, but it refers to ensuring that data within a system is accurate and protected from unauthorized modification, and this is where I believe future security breaches will focus.
Our older users will remember when everyone was throwing up their own website in the 90s. Animated GIFs of burning skulls and dancing babies were everywhere, and practically anyone could
throw up a storefront by purchasing some software and adding it to their site. With the massive proliferation of these new sites, there was a big issue: Nobody considered security, resulting in the early sites being constantly hacked with home pages replaced with messages announcing the hacking group that defaced the site. It seemed that nobody was safe, and even ID Software was burned in January, 2000. These attacks were annoying, but generally only impacted the availability portion of the CIA triad.
We've now moved past simple website defacements. Most attacks are coordinated, and Advanced Persistent Threats, where an attacker scouts their target for months, are becoming normal. At a recent conference I attended, I learned about the CEO of a Fortune 50 company who was the victim of an elaborate spear phishing attack. The bad guys researched everything they could on not only the company, but the employees as well. They knew the CEO's family members, knew where his children attended school, and knew details about the school itself. They then sat on that information and waited until there was an unrelated issue at the school his children attended to send a PDF to the CEO. The document was written on school letterhead, had the principal's signed name, and had the names of his children. It simply said that his children were safe and that there was no need to come down to the school because everything was under control. The problem for the company was that the PDF had a malicious payload that was then used to infiltrate the corporate network. Using this as a foothold, the attackers then moved their way through the network, compromising data that they had no right to see.
These types of attacks go against the confidentiality point of the CIA triad, and is where we currently are within information security: Bad guy attacks company; bad guy gets into company network; bad guy steals data and posts it online or sells it on the Dark Web.
Following this progression, it's safe to assume that the next phase of attacks will go against the integrity of the data. We trust that computers always give us the right answer, as evidenced by the ever-popular, "I saw it on the Internet, so it must be true," meme. While stealing data and selling it on the black market is good for a quick buck, the real power comes from controlling that data.
Think about the recent OPM breach, where data on every United States Federal employee was stolen. Not only were social security numbers taken, but also sensitive data like fingerprints. Now imagine that instead of the attackers stealing all of the data, they instead modified fingerprint data. Maybe they put their own fingerprints in place of an undercover agent's. Or maybe they simply change the fingerprints so that when an agent tries to confirm their identity, they're seen instead as a convicted felon. Perhaps instead of breaking someone out of a prison by force, an attacker modifies the convict's data to issue them an early release. Or in a more mundane use, simply change your credit card account to "paid in full" or reverse a payment of someone you don't like.
Considering it takes nearly a year to detect the average security breach, is it really that far-fetched to think that impacting data integrity will soon be more advantageous than simply attacking the confidentiality of the data?
Data integrity was an issue back in the early days of the web too, although it generally wasn't attacking information stored on servers. The most well known threat was against the aforementioned shopping carts that everyone installed on their site. Attackers would put products in the cart, go to checkout, and were then able to modify the price to whatever they wanted to pay before clicking the submit button. These flaws were generally easy to spot, but with the amount of data ever expanding, knowing what the "correct" values are supposed to be is more and more difficult.
None of this means we should stop using the Internet. On the contrary, even if you try to disconnect, companies you do business with already store your data online, as do government agencies, so that genie is already out of the bottle. And sadly, most of this is out of our individual hands since we have to rely on others to secure our data. However it does mean we should demand that organizations institute safeguards to protect the integrity of the data because while confidentiality and availability are important, integrity is arguably the most important.
I wish I had a silver bullet that I could use to solve all of these problems, but the fact remains that the more connected and "always on" we become, the more systems need to be exposed in order to work. Whereas in the past, all private data was stored deep within the walls of an organization, now it's available front and center to access with the click of a button, and as the old saying goes, "as usability increases, security decreases."