Information security is often described using the CIA Triad. CIA stands for Confidentiality, Integrity, and Availability, and these are the three elements of data that information security tries to protect. If we look at the CIA triad from the attacker’s point of view, they would seek to compromise confidentiality by stealing data, integrity by manipulating data, and availability by deleting data or taking down the hosting system.
By and far, most attacks focus on disrupting the confidentiality or availability of data so defense mechanisms and training have also been focused there. The number of data breaches have skyrocketed, and there is a flourishing market for stolen information including personal health information (PHI), credit card numbers, social security numbers and other personal information, and proprietary technology. We also see many attacks on availability through Denial of Service.
What An Integrity-Based Attack May Look Like
Integrity attacks are much less common, but they still represent a threat. Organizations must protect more than just confidentiality to be secure. So what does an attack on integrity look like? Let’s look at three examples.
1. Enticing an Opponent to Make a Bad Decision
There is a software development saying that goes, “Garbage in, garbage out,” meaning if you let junk data into your program, it will produce junk for output. Similarly, junk data used in decision making will result in bad decisions. Integrity attacks of this sort aim to sabotage competitors or opponents by poisoning information stores that their competitors use to make critical decisions.
2. Exploiting Temporary Data Inconsistencies
Attackers modify the time on a Network Time Protocol server so that door access control systems think it is the middle of the day instead of the middle of the night. Consequently, the doors unlock or require only a pin instead of multi-factor authentication.
In another example, thieves momentarily inflate the balance of accounts before performing a wire transfer or stock ticker symbols are changed in a trading company database resulting in many incorrect stock transactions and inflated or deflated stock valuation by the market.
3. Online Vandalism
Hacktivists or cyber activists often employ online vandalism to spread their message and others vandalize sites for fun or to hurt brand image.
The good news is that many of the technical controls organizations already have in place to protect the confidentiality and availability of data can also be used to protect its integrity since attackers must exploit similar vulnerabilities or access the same systems on which they perform other attacks. However, procedures and training may need to be updated so that employees are aware of such threats and how to recognize them. Furthermore, the data that goes into critical decisions should be validated through alternate sources. Consider the following:
- Require application security assessments to address integrity, as well as confidentiality and availability.
- Conduct a risk analysis of the loss of data integrity for key information systems and use these risk calculations to ensure that controls adequately address risk levels.
- Update security awareness training to include sections on data integrity, validation, and incident reporting.
- Ensure that security policies and procedures address integrity, as well as confidentiality and availability.