New Data Integrity Attacks on the Block

Stormy weather ahead
Stormy weather ahead
Bruce Potter, Ponte Technologies
Bruce Potter, Ponte Technologies
Yuval Ben-Itzhak, Finjan
Yuval Ben-Itzhak, Finjan
Steve Moyle, Secerno
Steve Moyle, Secerno

Since the very early days of cyberthreats, we have seen aggressive challenges to the availability of data, which can be considered the first wave of attacks. These include the first PC malware, which aimed to trash the hard disk, and denial of service attacks on web servers. Then came attacks on data confidentiality, with an emphasis on stealing personal records. Now, we’re starting to see attacks on the integrity of data.

Most vendor offerings in the information security space focus on availability and confidentiality, because these are the well-established disciplines of business continuity and more recently, of data leakage prevention. Concerns over data leakage have resulted in a large number of vendors gladly providing anyone that can afford it with a solution of sorts. However, these data leakage concerns are still all about confidentiality, since the internal availability problems have been resolved.

A gap in vendor offerings, however, is a product that specializes in the protection of data integrity or data integrity protection (DIP).

Bruce Potter, organizer of the east coast Shmoocon security conference and founder of security consulting firm Ponte Technologies, agrees that data integrity attacks have not yet found their way onto the general infosecurity landscape.

“Very little time and money has been invested into maintaining the integrity of the data these businesses rely on. As we get better at protecting the networks and systems, attackers will be forced to become more targeted in their objectives and methods, and this will likely result in direct attacks against mission critical data,” he says.

“These attacks are going to be difficult to detect and defend against given the pervasiveness of critical data in most enterprises, and the inability of organizations to control access and modification for this data. These attacks, while subtle, can be devastating to the victim organization.”

The Advent of Recognition

It’s been a few years since data integrity was called into question. When researching the vulnerabilities of networked CCTV systems a few years ago, the idea of tampering with video data in transit between the camera and the recording equipment was questioned. Data integrity is an important area of security that is in great need of further exposure and exploration.

If security professionals have considered this issue, even briefly, one can be sure that several criminals will have also considered attacks on data integrity, and many will have undoubtedly carried out research into such attacks.

Finjan chief technology officer, Yuval Ben-Itzhak, says that not only have the criminals carried out research, but are putting it into practice: "We have seen a large number of Trojans that are designed to steal confidential information from enterprises and individuals. These attacks are often mounted by organized criminal gangs, and sometimes by political activists.

"Activists will mount attacks on the data integrity of organizations that they are opposed to, such as pharmaceutical companies and defense contractors do disrupt their operations"
 

“We expect criminal gangs to start mounting attacks on data integrity in the future - to either commit fraud on behalf of other commercial parties, such as granting quotas and rights or corrupting their data and placing them in breach of regulations and legislation,” he adds. “We also expect that activists will mount attacks on the data integrity of organizations that they are at opposed to, such as pharmaceutical companies and defense contractors to disrupt their operations."

On December 12 2008, a Greenpeace blogger wrote about logging companies using “hackers to break into the Brazilian government's sophisticated tracking system and fiddle the records” to enable them to fill more than their quota. The attacks followed a Government decision to stop using paper records completely, and to only use web-based forms for processing information. 202 people are now facing charges for their involvement in this set of multiple attacks upon various systems involved.

By hacking into the permit system, the logging firms made their timber shipments appear legal, and compliant with the forest management plans. “But in reality, they're trading illegal timber which is making the problem of deforestation worse,” said André Muggiati, campaigner in Greenpeace's Amazon office in Manaus. ”A lack of control and policing in the areas they're logging means they think they can get away with it."

This above example, and there are probably many others, shows that reporting of such incidents are categorized by the criminal charge, which in this case is fraud, and not necessarily by the type of attack. Consequently, such attacks may go unrecognized as attacks on data integrity by the rest of the security community.

First Comes Acceptance

The first step to finding a solution is to recognize that the problem exists. Whether or not your organization has experienced a data integrity attack, they are not only feasible but do exist. More importantly, without being aware of it, you have probably already experienced attacks upon your data integrity.

"Attackers in the far east have produced SQL injection attacks to ruin the integrity of text content in databases so that the web pages served up automatically get redirected to malware sites without any warning"
 

Increasingly, more of an organization’s assets are held in its information. It is therefore important to understand some of the problems and challenges in the creation, storage and usage of those information assets in relation to their integrity and attacks to that integrity.

Those wishing to avoid a data integrity attack face various challenges. The first is the challenge of implementing regular review mechanisms to maintain integrity. The process of creating data verified as having integrity is in many organizations a new concept, or if they are smart enough, a new discipline. For many, it's not even on the radar. The problem here is the assumption that all data has equal integrity.

An organization also has to know which company records lack integrity in the first place. It is often highly unlikely that the integrity of data will be questioned at all, and will remain in its inaccurate state until such time that the data needs to be used by someone who either knows what values should be there, or checks it against another reliable source.

Questioning the integrity of the data includes understanding its source. Most businesses use analysis reports and don't verify the values that should be there. The challenge for them is to verify the integrity of all sources whether they are internal or external. Investments must also be made in quality research into insider integrity attacks.

When the data is found, most businesses don't have processes in place to enable affected individuals to correct data about them in a way that maintains data integrity. Data in the form of personal information is plentiful, but not always visible. Many of the subjects of the data are not aware that it exists.

The final challenge is to prepare the organization for the most advanced level of the attack lifecycle for the most critically important data. Data integrity attacks can take so many different forms, which will evolve in different ways.

There are several approaches to breaking down the attack lifecycle. The early phase of attacks on availability and confidentiality are little more than proofs of concept, but as attackers’ skills develop, the attacks become more targeted, followed by a sophisticated action phase. Organizations can be targeted at any time. The security industry must learn from these attacks and respond to future incidents.

What’s next?

Until the TJX disclosure of 2007, there were very few public disclosures acknowledging that data loss was an issue. Since then, there have been many other private and public sector disclosures. In the same light, we are unlikely to hear of any incidents of data integrity attacks until there are public disclosures.

"When researching the vulnerabilities of networked CCTV systems a few years ago, the idea of tampering with video data in transit between the camera and the recording equipment was questioned"
 

Given that attacks will become more targeted and more sophisticated, data integrity will continue to be swept under the carpet until we have a prominent public disclosure. This will hopefully open the floodgates for others to admit that they too have been subject to targeted data integrity attacks.

Steve Moyle, co-founder and chief technology officer at Secerno, emphasizes that although perhaps unrecognized, data integrity attacks are already a reality. “Attackers in the far east have produced SQL injection attacks to ruin the integrity of text content in databases so that the web pages served up automatically get redirected to malware sites without any warning,” he says. “This was among the most popular types of attack in 2008, hitting over 500 000 pages. In this case the change in the text data can be easily detected. Much more sinister schemes are possible whereby data owners would not know what content was genuine and what was fake.”

Once in the public eye, it will become apparent that data integrity attacks are not just from outsiders and third party contractors, but also trusted insiders. As these events take place we will see vendors starting to sell DIP solutions.

Until then, organizations should undertake data asset ownership and valuation projects as a starting point. After you know what you should be protecting, you can undertake a risk management approach, and apply appropriate measures. Depending on the organization’s business and data, it should also have a formal data integrity protection policy, together with a quality data program, all wrapped up with some awareness training. Lastly, whenever the organization is ready, it will need to introduce an auditing program for its controls.
Sarb Sembhi is the president of ISACA London Chapter, and editor of Virtually Informed.

What’s hot on Infosecurity Magazine?