US Army Fort Monmouth data breach. 36,000 Identities, but what’s really at risk ?
Just before 2012 winds up and we merrily bring in the New Year, we have yet another breach of a database yielding thousands of identities, SSN’s, salaries, and address information. I bet 2013 isn’t going to be any different for most organizations still using outdated perimeter IT defense strategies to protect data – they’re proving transparent to advanced threats time and time again. This breach is a little different however due to the nature of the identities involved and has potential for high stakes social engineering attacks given the specifics of the data if reports are correct.
You can read about this US Army related breach here.
In civilian data theft cases, the stolen data is traded through criminal channels and across schemes to commit identity theft and fraud, often at great expense to the data owner, but highly lucrative to the data thieves. Here however we have something potentially more valuable to attackers interested in more aggressive pursuits: specific personal data on people related to US Army defense intelligence and communications infrastructure at CECOM (Communications Electronics Command) and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance). That’s US Army communications and control systems related personnel.
While this breach isn’t about mission data or defense IT projects specifically, it’s the kind of personal data that can potentially be used to pursue more aggressive attacks to penetrate additional high value US defense networks and systems – exactly the kind of networks offshore state sponsored attackers have in their sights. The attacks to defense contractors have been well documented over the last couple of years: these are real risks that need to be mitigated using new methods.
To an offshore attacker, this kind of stolen data may streamline identity impersonation for highly targeted spear phishing, for example, to plant malware and trojans deeper into a network to steal secrets. It may also play a role in even more sinister social engineering and manipulation to obtain new and nefarious ways to gain access to sensitive information and damage systems. To an attacker, obtaining a long list of current defense related identities can be gold. This attack, like other serious industry-wide system penetrations we have seen during 2012 illustrate that attackers will get their hands on the data gold if it’s not secure, and that even the most mundane sounding databases like contractor and staff logs with sensitive personal data in them need to be protected.
The new best practice to avoid breach risk is data-centric security: data stays protected from the moment of capture, yet can still be used by databases and applications. Techniques like NIST
FFX mode AES (Format Preserving Encryption) enable this to be simple and straightforward even in existing systems. Should an attacker get their hands on protected data, it’s useless to them. Attackers who steal data protected in this way quickly learn that going after data straw, not data gold, is a waste of their time and energy and simply move on to more fertile ground.
Data-centric security is a proven defense against the new advanced threats from both criminal hackers and offshore cyber-attackers. Leading government agencies and private sector enterprises are already seeing the cost and risk benefits. Given the need to capture, store and share more and more sensitive and high value data across an expanding ecosystems of low trust channels such as mobile and cloud all at risk from advanced threats, data-centric security is no longer an option, it’s absolutely essential.