At too many government agencies and companies, the security mindset, even though it’s never spoken, is that “We’re not a prime target, our data isn’t super-sensitive.”
The reality is that every piece of personal data adds to the picture that potential criminals or state-sponsored actors are painting of individuals. And that makes your data a target.
“Just because you think your data isn’t useful, don’t assume it’s not valuable to someone, because they’re looking for columns, not rows,” says Hayri Tarhan, Oracle regional vice president for public sector security.
iStockphoto
Here’s what Tarhan means by columns not rows.
Imagine that the bad actors are storing information in a database (which they probably are). What hackers want in many data breaches is more information about people already in that database. They correlate new data with the old, using big data techniques to fill in the columns, matching up data stolen from different sources to form a more-complete picture. That picture is potentially much more important and more lucrative than finding out about new people and creating new, sparsely populated data rows. So, every bit of data, no matter how trivial it might seem, is important when it comes to filling the empty squares.
Say that Bob is a midlevel government employee, who also happens to drive an upscale SUV with four-wheel drive, buys new hiking boots each season from an online vendor, and lives in a neighborhood where voters tend to support a particular political party.
A data breach of the online shoe store reveals Bob’s password (and thousands of others). If Bob happens to use his work email for ecommerce, and the same password for the shoe store and his government workplace, perhaps the hackers now have the key to his government mailbox—from which they can learn about his agency, attempt to escalate access privileges, and expand horizontally to compromise databases, document repositories, and employee directories. If Bob has access to classified information, that info could be compromised, too.
Correlation can help as well. Say Bob doesn’t use the same email for shopping as for work. If he uses the same mailing address or mobile phone number, data thieves can correlate, and discover that bob@namelessagency.gov is the same person as bob@freeemailaddress.com. That information might also help bad actors target Bob for phishing spam that could trick him into installing malware on a government laptop. Oops.
That’s not all. Knowing that Bob drives an expensive vehicle might show that he’s interested in luxury goods, or has a well-paying job. If hackers can correlate an identity to credit rating, learn he’s got a lot of debt, hmm, he might susceptible to scam loan offers—“or might even be on the verge of bankruptcy, and potentially be a blackmail threat,” says Tarhan.
Hayri Tarhan is Oracle regional vice president for public sector security.
OracleKnowing that Bob leans to one political viewpoint might encourage state-sponsored actors to target him with specific political messages via email, text messages, social media, or even display ads that follow him around the web.
At the same time hackers are compromising Bob, they’re also learning more about his job—and his government agency. Such details could provide a stepping-stone to plant long-term spyware, distribute malware, or compromise other employees.
When it comes to state-sponsored attackers, “they’re trying to get a clear picture of our government workers,” Tarhan says. “They truly want to know how our government works.”
Fighting Back with Machine Learning
Fortunately, not all is doom and gloom. There are effective techniques that can be employed to combat data breaches. One of the most important, given the level of automation used by attackers, is using AI techniques such as machine learning to discern normal access patterns, and to instantly spot anomalies (such as a login from an unusual location or a suspect data download that could signal a breach), and remediate the situation in real time.
It’s a different usage of the same technologies, for example, that Oracle uses to guard against service outages in its cloud services. “A breach is an outage with malice,” explains Tarhan. “Once we see it, we can automatically remediate using an orchestration engine. Detection alone isn’t enough: Fire alarms are good, but fire sprinklers are much better.”
Information isn’t only the lifeblood of companies—protecting those data columns is essential to safeguarding individuals, governments, and our society. Machine learning is a key ingredient, and Tarhan is giving a practical talk on this subject at the Digital Government Institute’s 930Gov Conference on Tuesday, August 28, in Washington, D.C. There’s no charge to attend.
