Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
John Moynihan
John Moynihan
Connect Directly
E-Mail vvv

Data Manipulation: An Imminent Threat

Critical industries are largely unprepared for a potential wave of destructive attacks.

An approaching cyber storm—one capable of unleashing unprecedented chaos—is looming on the horizon of the United States’ public and private sectors. Although experts warn that attackers are poised to launch sophisticated campaigns designed to manipulate financial, healthcare, and government data beyond recognition, our critical industries remain largely unprepared for these potentially destructive attacks.

To date, those capable of conducting malicious cyber operations have been intent upon stealing personal, health, education, and financial information and pilfering the precious intellectual property of leading defense, technology, and manufacturing corporations. Their motive: to spread chaos. At separate events in August, I listened as General Gregory Touhill, just named by the White House as the first federal chief information security officer, and Theresa Payton, a former White House CIO, cautioned that data manipulation attacks are coming. Assuredly, the cyber threat landscape is about to shift dramatically.

The following represents a simplified example of what a data manipulation attack might look like and the widespread disruption that could ensue.

Through the deployment of a stolen privileged user password, customized malware, or other form of cyber weaponry, an adversary is able to penetrate the network perimeter of a major financial institution. Because most organizations lack proper network segmentation, the hackers immediately proceed to the organization’s digital treasure chest: the customer database. Soon thereafter, the undetected visitors gain access to a database that houses the intricate details of 3 million mutual fund accounts.

Once inside the database, the electronic invaders begin to systematically alter the repository’s tables, resulting in cascading revisions to the numeric values of each account. The systematic manipulation is performed over a three-month period, coinciding with the issuance of quarterly statements, so that most customers won’t notice the problem until the attack is over and the culprits long gone. Further, given that the manipulation doesn’t occur on any specific date but conducted over several weeks, correcting the problem through a single system restore is impossible. The remediation process will require extensive and manual recalculation, verification, and testing.

Eventually, customers realize that the institution to which they’ve entrusted their financial futures has been hacked and their 401(k) accounts compromised. Regardless of the bank’s assurances that all funds are secure, customers panic when they’re told that it may take several months to determine the actual balance of their accounts and that all withdrawals may be suspended until the process is completed.

Consider the impact of similar data manipulation campaigns, conducted simultaneously, throughout the healthcare, government, manufacturing, and telecommunications sectors. Widespread chaos would be an understatement.

Who's Watching?
To those who assume that critical databases are well protected from this form of malice, the findings contained within a recent Osterman Research survey suggest otherwise. The research, which surveyed approximately 200 organizations with an average workforce of 22,000, reveals an astonishing lack of database oversight. Among the report’s most glaring statistics, 47% of respondents acknowledged that no individual or functional group is responsible for monitoring databases for unauthorized activity.

In other words, although many organizations maintain your personal information within databases, nearly half admit that they’re incapable of detecting unauthorized data access. This inexcusable situation exposes the personal information of many Americans to the imminent risk of theft and manipulation.

Although adopting a structured database security program is not an insurmountable task, it’s one that requires ongoing resource commitment and the support of executive management. Twenty years ago, at the direction of a forward-thinking senior manager, I implemented a public sector database security program. Without the benefit of the advanced solutions currently available, an innovative group of technology professionals and information security auditors developed an ongoing process to detect unauthorized database activity in a timely fashion. Throughout the 10 years that I managed this program, several unauthorized accesses were quickly identified and disrupted through this continuous monitoring process. If we could monitor databases for malicious activity back then, surely most can do so now.

The threat of a coordinated data manipulation campaign is a reality that has the potential to overwhelm critical industries and disrupt the economic and social fabric of the United States. Unfortunately, many organizations have yet to implement the basic safeguards necessary to swiftly detect this type of electronic attack and therefore remain totally unprepared to prevent the consequences. It’s time for those who maintain our most confidential data to take the steps necessary to protect against this emerging threat by deploying more robust detection measures and implementing an ongoing monitoring program.

Related Content:

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/16/2016 | 9:32:08 AM
Cyber security
More of the attacks are coming our way and we are here as ordinary cyber users doing nothing. It is high time to take up the issue and secure our connection from being tracked by deplying reliable vpn server like PureVPN which offer great services at minimal costs. They have encrypted online connections which is good for security. 
User Rank: Apprentice
9/13/2016 | 10:13:40 AM
The same will hit Internet of Things.
There is a big misconception about securing IoT systems: "who is interested in the data of this sensor?", for instance a temperature. Probably only the owner of the sensor. But this might not be the right question to ask. It should also include "can I trust that data?", especially if the temperature is measured to control something else automatically. Manipulating the temperature can destroy a steel mill furnace, or a shipment of deep-freezed fish. Just knowing that someone can take over your sensor also leaves you open to extortion schemes; "we want $$$ to NOT destroy your shipment, or plant".

Internet banking is built on trusting the user, the online bank and the transaction. An Internet of Things connected world requires the same level of trust to work.
Olaf Barheine
Olaf Barheine,
User Rank: Apprentice
9/12/2016 | 10:28:37 AM
What I do not understand...
It is everywhere the same, not only in the US. But I always wonder, what could be the reasons that companies are so unprepared? Is it because of the costs for security? Is it a lack of know-how? Do they still underestimate the threat of cyber attacks? Or what is it? I mean, the press is full of reports about successful cyber attacks. So everybody should know about the risks and take it serious.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.