Say I’m out to get you. I might be a disgruntled employee, or a business rival. What’s my best way of taking your business down?
Let’s assume I can gain access to your network – easy enough if I’m an employee, after all.
I could leak all your confidential information to your competitors – or to the newspapers. But unless you’re up to something illegal (in which case you have bigger problems) or your business absolutely depends on confidentiality, you’d probably survive. Especially if you could prove the leak was malicious and you’d done reasonable things to prevent it. After all, most businesses don’t have that many real secrets anyway; they have things they’d rather competitors and customers didn’t know, but nothing truly earth-shattering.
I could destroy your network – delete all your data, smash up your servers, even burn down the building. But if you’ve got an even half-decent disaster recovery plan and a working backup, you’ll be back in business pretty quickly. You’ll probably get some sympathy and leeway from suppliers and customers, the costs will be covered by insurance, and it’ll be pretty hard for me to avoid getting caught. If I am caught, I’ll be going straight to jail without passing go. A high-risk strategy, then, with limited rewards.
Or I could mess with your data. Not all at once, and not too obviously. Just some tweaks, here and there, making it drift apart from reality. Change last week’s sales figures. Mess with customer information. Delete some key historic emails. Change the contents of historic contracts. And so on. The world being what it is, it won’t surprise you that there are tools around to automate this. The key thing is to do it for long enough. Give it six months and even if you have good backups, they’re largely worthless – you can’t give up six months’ worth of work. If you can’t trust your data, you cease to function.
I say this in almost every talk I give on the topic, but it’s not just me – Admiral Michael Rogers of the NSA said much the same at this years RSA conference.
What do you do about it? It’s not simple, but here are some starting points:
- Apply the principle of least privilege – don’t give users the rights to change documents if they don’t have a clear business need to do so.
- Use Tripwire or a similar tool to look for changes in documents that shouldn’t change. This adds to your storage requirements, network traffic and processing, as well as costing money, but it’s a valuable early-warning system.
- Switch on file-level auditing – and actually check the audit logs. You’ll need some way to protect the logs from tampering, too.
- Make sure any database systems you use have proper user privileges built in, and preferably journal their logs so that you can identify and unwind changes.
- Build in processes to check data as it’s entered, and regularly thereafter. This helps to pick up human error as well as deliberate malfeasance – if inaccurate data is worthless, then the converse is also true: accurate data is worth more, so the additional cost of checking can be justified.