In the wake of many high profile data breaches, we may have been oblivious to the potentially greater danger posed by a different kind of hack. As LA Progressive discussed in a recent article, imagine that a major food company gets hacked. But this time, instead of leaking the company's proprietary information or encrypting its systems with ransomware, the hackers manipulate the data on which the company relies. Expiration dates on milk cartons get scrambled so that some are thrown away early while others make people sick, despite appearing within their use-by date. Figures are changed slightly on pending invoices to vendors, altering the company's balance sheets by hundreds of thousands of dollars. Small changes are made to food-safety tests so that a dangerous product now looks like it is passing regulation tests.
Would the company notice such changes happen? How could its investors accurately assess the company's value when all of its financials might be based on faulty information? How might its customers and suppliers respond? With lawsuits?
Unlike "information-gathering" hacks (where data is stolen because it is valuable) or "hold hostage" attacks (when data is encrypted until someone pays to release it), "manipulation hacks" are hard to detect. They result when individuals (or – worse yet - bots) illegally change vital information in ways that don't obviously attract attention.
The example above is bad enough but apply the same scenario to banks, medical institutions, and government organizations – it is even more frightening.
How do we detect and stop data manipulation? We need to design systems that are carefully watching for manipulation. Hard or offline backups are essential, and data holders should develop systems to regularly compare live versions of their data to their backups. (According to Osterman Research, most companies don't do this continuously, and some don't do it at all.)
The article suggests there is a small silver lining: One of the easiest ways for organizations to defend against hackers is to beat them at their own game. When infiltrators can't tell what data is real, they won't know what actually might be of value. Emmanuel Macron's French presidential campaign, for instance, reportedly fooled hackers with fake data, which limited the effectiveness of campaign hacks as a result.
I read that with some trepidation. This seems to me to be a double-edged sword. We're having enough trouble identifying fake news without deliberating making more fake news up! If we start making up fake data, we may be compounding a problem rather than solving it.
Hat tip to Dave Ries.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology