Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Data leaks evolving into weapons of business destruction

Maria Korolov | Oct. 4, 2016
Increasingly, attackers are using data leaks to target the companies themselves, going after proprietary or embarrassing information and releasing it in such a way as to do the most harm

WestPak Capital: Last week, attackers published internal files from the Los Angeles-based investment firm in retaliation for a non-payment of ransom.

"What they need to do, in order to really cause a mess in the U.S., is to get us to question the electoral process and the result of the election," he said. "We'll be paralyzed for months if that happens. We're already doing it by ourselves, but if we're on the edge of the cliff, they can do a lot to push us over the edge of the cliff."

And the information doesn't even have to be accurate, he added.

A Russian news organization aired a story that said that a hard-core, right-wing candidate had won an election in the Ukraine based on supposedly leaked information from the Ukrainian election authorities -- but the hackers had not actually succeeded in breaking in, and the leaked information was completely fictitious.

The emergence of platforms like Wikileaks, which earned their reputation based on whistle-blowers like Edward Snowden, can provide a cover for these kinds of attacks.

"You can leverage dissident hacktivist groups, and if there aren't any dissident hacktivist groups, you can make them up," Meyers said.

"What's most concerning is they've established that there's credibility around the documents, and if they were to start putting fake stories in there, it would be very difficult to go through and validate that as not true," he said. "Verification of these documents is very difficult and time-consuming. And it might be irrelevant if it's true or not -- the damage would have been done."

A nation-state in particular might take a long-term view and leak real documents through a particular platform in order to establish its credibility.

"If I am a nation state, I might want to appear to be a hacktivist or freedom fighter, establish a reputation over time, and then strategically use those leaks -- maybe even modify some of that data," said Rich Barger, chief intelligence officer and director of threat intelligence at ThreatConnect. "A few sentences here or there, and I might begin to introduce some fake information. If I have enough of a following, and I do it long enough, I'll have established trust and folks wouldn't be as critical or look as deep into the information I put out."

Plan for failure

Better security and employee education may reduce risk of data leaks but won't eliminate it, and companies need to plan for the worst case scenario.

"If you're doing things that you think would be embarrassing on the front page of the New York Times, then it's going to get on the front page of the New York Times," said French Caldwell, chief evangelist at security firm MetricStream and former Gartner vice president specializing in risk management.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.