Chaos is here, qualified people in the cyber security industry have warned us for years that cyber-criminals will soon be ready to start all out warfare and their primary targets are financial, healthcare, and government data, in general these industries are not ready to defend against this type of attack.
What malicious attacks that have occurred up to date such as stealing, health, personal, and basic financial information, most simply to spread chaos, and to gather basic info to commit fraud, sure it is not trivial but image the following fictitious scenario.
A stolen privileged user password, customized malware, the criminal can now breach the network perimeter of a major bank. This bank does not adhere to proper network segmentation practices, next the criminal moves to the banks customer database. Gaining access to let’s say 5 million mutual fund accounts.
Now inside, the criminals can alter the repository’s tables, resulting in cascading revisions to the numeric values of each account. Performing this manipulation over a 3 month period, matching the release of quarterly statements, so the lion’s share of customers won’t detect the problem until long after the criminals have pulled the plug and moved on. Making matters worse this doesn’t occur on any specific date but, is conducted on and off over weeks, leaving the option to restore the system impossible. What’s left is extensive and manual recalculation, verification, and testing.
Over time, the banks customers realize that the institution to which they’ve entrusted their financial futures has been hacked and their accounts compromised. Regardless of the bank’s assurances that all funds are secure, customers panic when they’re told that it may take several months to determine the actual balance of their accounts and that all withdrawals may be suspended until the process is completed.
Now this is only one scenario, consider if this was spread out over government sectors, utilities and communications. I think utter Chaos would best describe it.
Many organizations hold your personal information; nearly half admit that they’re incapable of detecting unauthorized data access. This inexcusable and puts us all at risk of criminal manipulation and fraud.
Having a structured database security program is not an unattainable task, but it’s one that requires constant resources and the support of management and one we have to be prepared to do it.
The constant threat of these types of attacks is a reality and if they are implemented over a large scale could disrupt the financial fabric of the country.
It is sad that many organizations have yet to implement safeguards to detect this type of attack and remain unprepared to deal with the consequences. It is a call to arms for those who maintain and store confidential data to take the steps to protect against this threat.