Security

Data Tampering: The Quiet Threat

Data Tampering: The Quiet Threat

For decades, data tampering has been limited to relatively simple attacks, like data corruption (which is immediately noticeable) or “cooking the books” to hide embezzlement or other financial failings. Of late, however, data tampering has been done with far more serious intent, such as redirecting shipments at sea or capturing financial or sensitive information. And, unfortunately, it’s getting easier.

Cybercriminals now have access to AI-driven, automated, and orchestrated data-tampering attacks. As more and more data is stored in databases, and employees, contractors, and users demand access to it, the potential for unauthorized modification rises exponentially. And as more and more financial transactions are conducted online, the incentive to perform such modification rises accordingly.

Data tampering is a serious threat to not only businesses, but potentially life and property. As such, organizations must take steps to prevent the possibility of such attacks and mitigate any issues caused by them. Unfortunately, no organization can defend itself perfectly. What are some approaches organizations can use to counter the growing threat of data tampering?

The Key Problem: Can You Trust Your Data?

As of 2019, almost every organization, no matter how small, has databases, network shares, and servers with data they would rather not lose or have modified. Unfortunately, attackers don’t particularly respect organizational policy and will go right ahead and delete or modify this data if and when it serves their purposes.

Thus, one of the most crucial aspects of any database or file store’s security plan is detecting (and, where possible, manually or automatically reverting) unauthorized data modifications by malicious software anywhere in the chain of communication.

Many people responsible for data security over the past few years have already experienced a ransomware attack; according to PhoenixNAP, about 850.97 million ransomware infections were detected in 2018. Ransomware is just one type of data tampering—in this case, encryption.

Data tampering can have very real consequences: for example, the sinking of passenger or container ships. According to Ken Munro of Pen Test Partners LLP, doing such a thing would be all too easy due to security failures in the protocols used to communicate with these ships. Data can’t always be trusted, and external verification of the authenticity of this data is a must.

Copy-on-Write File Systems (and Similar Technologies)

A possible solution to this data tampering problem is something called copy-on-write (COW). Each time a database is modified, delta snapshots are taken. This would permit a security team to detect tampering with data at rest by checking for unexpected file system (or database) snapshots.

Linux- and Unix-based operating systems, as well as many database applications, have built-in snapshot features, so implementing such a technology wouldn’t be a major effort.

As a bonus, this form of protection would also guard against ransomware-based encryption attacks. While the database may become encrypted, restoring the file system to a pre-attack state would end any downtime and retrieve lost data.

Additional Protections

Of course, copy-on-write won’t fix everything; a technology like that is much more effective at reverting unauthorized modifications than detecting them.

For detection, organizations turn to more standard tactics, such as Authentication, Authorization, and Accounting (AAA), checksums, and other similar technologies. For example, two-factor authentication using an internally generated time-based code can be used to prevent replay attacks (resending a captured request with new data), while heavy encryption and authentication can be used to prevent attackers from understanding how communication and storage protocols work.

By using a combination of copy-on-write, authentication, time-based codes, encryption, and other technologies, organizations can make it much harder for the casual attacker to tamper with what they’re not authorized to. Traditional security policies can help to mitigate risks from internal employees and contractors, while network segmentation can be used to employ the principal of least privilege, thus further reducing the attack surface.

Of course, it’s still necessary to keep a close eye on your organization’s databases, servers, and networks; no security policy is perfect. But with IT security management tools and these technologies in place, organizations are much less likely to be vulnerable to a data-tampering attack.

This post originally appeared on Logical Read


Finn Turner is a blind network enthusiast from Tauranga, New Zealand. You can usually find him with his head buried in some horrifyingly complex embedded Linux device, or trying to get his many pieces of network gear to work the way he wants them to. He usually spends his time coding; experimenting with Linux, embedded OSes and hardware; and finding novel ways to break things.