Rise of the Denial of Business attack
Data breaches are doing more than leaking sensitive information – they’re stopping business operations altogether.
The recent cyber security attack on Sony Pictures Entertainment has generated ample press coverage – most of it focused on how the hackers penetrated the network, speculating on the likely culprits behind the attack and what information has been released to the public.
While it is often tempting to use data breaches as occasion to remind people about the potential security problems with passwords and the need for stronger security defenses and controls, this breach is noteworthy because it represents the emergence of a new attack vector—the Denial of Business (DoB) Attack.
In the major data breaches over the last year, the primary target has usually been credit card and payment data that, once obtained, could be resold or reused. A recent 60 Minutes piece on this explains the process behind these attacks quite well.
This new DoB attack is predicated on penetrating a target and causing enough damage that the target has to shut down their network temporarily. With the network down, productivity grinds to halt and consumer confidence, among other things, is eroded.
In a DoB attack, sensitive financial and personal data is still a target, but attackers also seek to extend the incursion beyond payment systems into other areas as well such as email and data storage systems.
Information does not necessarily have to be sensitive or confidential to cause harm; attackers can publish other information that causes embarrassment or erodes customer or employee confidence. Infecting multiple systems can help demonstrate the scale and breadth of the incursion.
Organizations often then react and take some or all systems offline temporarily to minimize further damage and develop an appropriate mitigation plan. While such drastic actions are often appropriate, the result is a denial of business: Email is not accessible, payment/payroll is suspended and even physical access to some buildings could be prohibited.
The lesson here is that organizations need to adopt a broad view for all their systems and data, not just systems containing payment info and personally identifiable information (PII). And organizations need to remember that in today’s world security is not just about preventing fraud, but also to keep the business up and operational.
An important first step is taking a complete assessment of all systems and data to understand the status of all currently stored data. The marginal cost of storage is essentially zero, which means that it is often cheaper for organizations to store and archive all data rather than spending time examining it to determine what should be saved or deleted.
As a result, organizations have vast troves of data going back many years. And while that legacy data may not have financial risk if breached, it could erode customer confidence if breached and possibly cause some systems to be taken off-line, meaning a successful DoB.
By properly assessing the state of current data and assessing whether it is in scope or not, organizations can then apply risk-appropriate controls (like encryption, 2-factor authentication, shared account management or even deleting the data) and can hopefully minimize their exposure to a DoB incident.
It is very difficult to make any organization 100 percent immune to cyber attacks, but by implementing some of these approaches and taking a fresh look at all security controls, organizations can hopefully mitigate those risks.