Friday, 15 November 2013

Six Degrees of Separation: Why Your Data is More Valuable than You Think

When discussing data security, I often hear statements shrugging off potential threats:
  • “We aren’t a bank — there’s nothing to steal.”
  • “Everything we have is public record.”
  • “Our projects are so big nobody would benefit from stealing the contracts. Only one company is big enough to take it.”
These statements show a clear lack of recognition of the end-goals and the techniques, tactics and procedures (TTPs) used by the modern threat actor.
Lets take a moment to consider what the value of any piece of data might be to the organized and technically advanced teams of people who orchestrate global cyber attack campaigns. The least obvious data snippets could help these groups infiltrate your network.
And the goal of the threat actor could be any number of things — financial or otherwise. Cybercrime is not exclusively a “for-profit” business, Hacktivism, for example, remains a serious problem in many parts of the world.
Play the six degrees of separation game with your own LinkedIn account, Facebook account, or address book. Six connections from your Facebook profile to, say, the CEO of a global company isn’t difficult to imagine. And it’s safe to say that, in your address book, you are six or fewer hops away from your office’s network administrator. The possibilities are endless. Those natural connections could all be stepping stones in the cyber attacker’s path to the ultimate target.

Sweat the details

The smallest details can help a cybercriminal fabricate a more believable email or more effective social engineering tactic to help in an attack. Having a signature with the right phone numbers at the bottom of an email could make the difference between a phishing email being opened or reported as malicious.
Examples include:
  • An address book from a system that includes the organizational structure of a team, giving threat actors a whole group of people to target
  • Internal company URLs from your address book that provides a network map or information on the types of systems being used
All of these pieces of information can be used by cyber attackers to build a virtual dossier of targets: a profile of how they interact, interconnect, communicate, and behave.

Your data can be used in ways you never expect

The art of reconnaissance is alive and well and it is regularly being exploited to the maximum by threat actors large and small. Those serious about stealing information or wreaking havoc do not always smash their way into networks and systems with brute force. Instead, they are stealthy, ingenious — and more than happy to play the waiting game to get to the information they seek.
The immediate business risk posed by losing information must play a large part in the security equation. Assuming that you’re safe because the content of your PCs or database offers no obvious financial gain overlooks the real reasons that many organizations or networks are infiltrated and exploited.
Cyber attackers understand precisely how valuable your data is. You should, too.

No comments:

Post a Comment