Attacks against integrity

I’ve been mentioning this frequently during my talks in the last 12 months: that accidental or malicious data modification is yet something else we need to defend against. Richard Bejtlich wrote last year about attack progressions, and this year summarized an accidental integrity error that created minor havoc at Veteran’s Affairs health centers. Richard’s progression nicely matches our beloved friend, the infosec triad:

  • First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion.
  • Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground.
  • Now they are coming to make a difference... These are attacks on integrity, executed by degrading information starting at the beginning of this decade. These attacks will manifest as changes to trusted data such that those alterations benefit the party making the change. This sort of attack undermines the trustworthiness of data.

Alas, his concluding sentence is all too true:

If we think it's tough to maintain availability and confidentiality, wait until we security people are tasked with validating the integrity of data. It will happen after a celebrity dies or a group of "normal people" do, unfortunately en masse.

Get ready to start adding integrity protection to your data and incorporating integrity protection in your applications. Also: start making noise yourself, and let your vendors know this will eventually become a business requirement for you. Please, let’s not give the folks at the Privacy Rights Clearinghouse another category to track!

Comments (3)

  1. Anonymous says:

    Further to the PS I tried creating an account sometime ago but it never seemed to work…

  2. Anonymous says:

    It should be CIAA – Confidentiality, Integrity, Availability and Audit.

    When the first three fail (and they always will, eventually), the fourth should be there in order to allow you to figure out who took you over, how they did it, and whether you can stop them.

  3. Morgan Storey says:

    It was only a matter of time, the bad guys read the same books as us, they had to eventually see the CIA model and go uh-hah we haven’t hit I yet.

    I wonder how cloud services are going to deal with this. I saw an article in my RSS last night about a proposed EDOS, or Economic DOS, that basically overloads a companies cloud hosted stuff so that their bill goes through the roof and the company folds. What is to stop a baddie messing with data on its transition to/from/in the cloud to destroy the integrity, just add a 0 here, move a decimal place there and utter-chaos insues.

    PS: for some reason the subscribe to comments via RSS rarely works for me, is there anyway we can be notified of responses via email?

Skip to main content