Last couple of years have witnessed largest data breaches of the history effecting tens of fortune 500 companies and billions of consumers. Attackers have been successful in penetrating the final layers of application and database security to gain access to large volume of data or have been siting somewhere in the intercepted network port to phish data as they moves in or out stealing mostly consumer information including contact and payment information. If analyze the pattern in the most discussed and debated attacks, the motivation behind such attacks have been very clear. The attackers wanted access to as much large amount of data as possible and copying them out as soon as possible. For 8 out of 10 cases, those data has been seen being sold as a whole or in parts on the dark web for a hefty price, sometime only within an week from breach incident.
For most of the cases the enterprises has published notices for the information disclosure and asked their users change their password or may be opt in for an additional layer of security which obviously was not the reason behind the disclosure. Consumers, whose information got disclosed remained in a position where nothing they could do. At the most where payment card info got stolen, replacing the card was a good idea. The amount of damage such incidents are causing to the businesses varies cases by cases. For an example Facebook lost 29 million user information to an attack in September 2018. The loss of data does not caused any material damage to Facebook other than damage of brand reputation and what they had to investigate the incident and realigning their security strategy. However in case of Marriot international, who lost approx 500 Million user information to an attack by the end of last year, might face a long term consequence if the stolen data reaches to its competitors. These large enterprises, already have been spending millions in their application and information security and again had to spend millions (and sometime billions if we take brand reputation damage and other long term consequences are taken into account) when an attack of this kind has been reached to its intended destination. For smaller organizations the damage should be far lesser if they does not fall into a legal liability for the disclosed portion of information. Intangible cost due to brand reputation damage also is to be at far lesser magnitude since the incidents with smaller organizations do not get proper media attention.
However in another corner of the world motivation attackers being renovated to not to work within the limit of just stealing the data. It is being learnt that the consumers are being now more aware, monitoring and efficient in reacting to a fraud effort. So stolen data (even with payment card info) is not being that effective in fraud campaigns as it was been some 3 years years back. Hackers only hope remained in selling the stolen data to someone at a legitimate price who can practically capitalize on the information. Such an effort may not always end up to a legitimate person specially when options are too limited in some cases.
Introducing Data Manipulation Attack
Options become too wide and flexible when you gain the ability to modify the data within the database itself rather than taking it out and flee. That is called Data Manipulation attack. Such a capacity would allow an attacker to modify the data to directly or indirectly suit his operational object. Motivation may differ attacker to attacker on how he/she would utilize the access gained. Attackers chose their target according to their object. And such an attack usually precedes by one or more preattack preparation to gain required knowledge and access.
Motivation & Objective Behind Data Manipulation Attack
Motivation behind a data manipulation attack can be different and sometime the target itself is driven by the object. Objective can vary from quick financial gain to spreading a long term political propaganda. For an example, a individual attacker got a write access into the order table of an online store application. He can now change shipping address of each pending orders to addresses of his choice. As a result the products are to be shipped to wrong addresses. In case the action is being taken on behalf of a competitor, the same malicious actor can change status of all orders to cancelled or shipped which will result in either revenue loss or worst customer service. Not only that, if the attacker got a hand to the customers contact information, he can quickly drive the customers to a competitor store to purchase the same product for which their order was cancelled.
At a larger scale, if an intruder have been able to get inside an automated trading system he can manipulate price of a particular symbol in a way to show a nose drive or a spike to capitalize on the rush to follow soon after.
At the political front, we have already witnessed several incidents, where hackers from a rival nation or separatist political group attacked government and political website, gained access to CMS to modify content of the website either to deface it or to show content if their choice instead. Again at a larger scale, social medias or other online platforms with high traffic of a specific demography can be utilize to promote political propaganda, rumors and ideology.
Not to mention, if such capacity is coupled with a competitor interest to harm your business it can fetch grave consequences which sometime may put you in a irrecoverable downward trend. Various studies shows that data manipulation attacks, though mostly have been successful against smaller enterprises and some government controlled assets, has been responsible for a greater financial loss and operational disorder than any other kind of attacks.
Preventing & Mitigating Data Manipulation Attacks
Identify & Patch Vulnerabilities
Data manipulation attacks primarily caused by exploiting a vulnerability in the application or database security layer, mostly because of improper write access allocation in the database configuration. Once an users enters the network with a malicious intend by escaping network security layer or even with a public accessibility, if database security is misconfigured it provides him/her with additional accessibility read write and alter records in the misconfigured database which appears as records created or altered by a legitimate users. So the best possible way of preventing data manipulation attacks is to act before someone else with a malicious intention. Hackers around the world continuously looking for legitimate targets according to their capacity and objective. Discovering a critical vulnerability in your application or database makes it an interesting target to be exploited to fulfill specific objective or even just for fun. Thats why a very legitimate step is to find out vulnerabilities within your application and database and patch them at earliest.
Review Access Log and Operating Patterns
Another important task is to monitor access logs regularly. Data manipulation attacks are one of the most complected type of attacks to execute. Hackers often need time to find and exploit a vulnerability which would allow them to write into the database even after virtually getting inside your application. Monitoring database access logs on regular basis will let you identify unauthorized accesses, even illegitimate access by unauthorized users.
Stay Safe from Phishing
Stay cautious on password disclosure. They trend we have seen so far, every data manipulation attacks has been preceded by a phishing campaign to gain credentials and authenticated seasons from a legitimate users. If such accessibility is obtained on behalf of a admin side user, the task ahead becomes easier. Keep your admin credential safe. Provide accessibility to only required number of employees, advise them to be ensured about credential safety and not to fall in phishing traps. If possible protect admin accessibility within limited number of IP addresses, so a hacker must need to break into your local network to make stolen credential usable.
Hire Application Security Consultant
In case your in-house technical capacity does not let you be confident about application and database security, it is a good idea to hire an application security consultant to review your application and associated configurations for vulnerabilities, help you to patch them in a routine manner, and act on time whenever situation demands so. La Manguste’s managed application security solution helps you to build a robust application security protocol which resists or neutralize all kind of security threats for your web or mobile application including malware infection and DDoS attacks. In case you are interested to get your application security standard reviewed by an experts you may feel free to leave a message.