Information security is often described using the CIA Triad. The CIA stands for Confidentiality, Integrity, and Availability and these are the three elements of data that information security tries to protect. If we look at the CIA triad from the attacker’s viewpoint, they would seek to compromise confidentiality by stealing data, integrity by manipulating data and availability by deleting data or taking down the systems that host the data.
By and far, most attacks have been focused on disrupting confidentiality or availability so defense mechanisms and training has also been focused there. The number of data breaches has skyrocketed and there is a flourishing market for stolen data including personal health information, credit card numbers, social security numbers, advertising lists, and proprietary technology. We also see many attacks on availability through Denial of Service.
Integrity attacks are much less commonplace, but they still represent a threat. Organizations must protect more than just confidentiality to be secure (see Overly and Howell’s Myth #3).
So what does an attack on integrity look like? Let’s look at three examples.
Enticing an opponent to make a bad decision
There is a software development saying that goes, “Garbage in, garbage out,” meaning if you let junk data into your program, it will produce junk for output. Similarly, junk data used in decision making will result in bad decisions. Integrity attacks of this sort aim to sabotage competitors or opponents by poisoning information stores that their competitors use to make critical decisions.
Exploiting temporary data inconsistencies
Attackers modify the time on a Network Time Protocol server so that door access control systems think it is the middle of the day instead of the middle of the night. Consequently, the doors unlock or require only a pin instead of multi-factor authentication.
In another example, thieves momentarily inflate the balance of accounts before performing a wire transfer or stock ticker symbols are changed in a trading company database resulting in many incorrect stock transactions and inflated or deflated stock valuation by the market.
Hacktivists or cyber activists often employ online vandalism to spread their message and others vandalize sites for fun or to hurt brand image. For example, the FBI issued a warning in April that ISIL was mass-defacing WordPress websites using known vulnerabilities.
The good news is that many of the technical controls organizations already have in place to protect the confidentiality and availability of data can also be used to protect its integrity since attackers must exploit similar vulnerabilities or access the same systems on which they perform other attacks. However, procedures and training may need to be updated so that employees are aware of such threats and how to recognize them. Furthermore, the data that goes into critical decisions should be validated through alternate sources. Consider the following:
- Require application security assessments to address integrity as well as confidentiality and availability.
- Conduct a risk analysis of the loss of data integrity for key information systems and use these risk calculations to ensure that controls adequately address risk levels.
- Update security awareness training to include sections on data integrity, validation and incident reporting.
- Ensure that security policies and procedures address integrity as well as confidentiality and availability.