The hidden breach is the new enemy

What we don't know ratchets up the level of risk to data, safety.
Written by John Fontana, Contributor

It's the breach we can't see that is emerging as the proverbial silent killer.

In recent weeks, hundreds of millions of passwords, user names, email addresses and user data have been exposed. And the information isn't always fresh off the database. Information dumped in the recent MySpace, Tumblr and LinkedIn episodes was stolen many years ago.

Previously, the fact that hackers were in corporate systems for weeks or months without detection was the glaring revelation in post-hack forensic reports.

But the real hidden concern, we are now discovering, is that many companies likely have no idea if data is missing, how much data is actually missing, or worse, are under reporting the severity of breaches to protect their reputations at the expense of their customers and public safety.

In this scenario, end-users are left exposed and have no signal to take measures to protect their data, especially if their personal information is being reused by hackers to gain access to a person's additional accounts.

Symantec's 2016 Internet Security Threat Report noted that breached companies aren't always reporting accurately. "The increasing number of companies choosing to hold back critical details after a breach is a disturbing trend," Kevin Haley, director of Symantec Security Response, said in a release accompanying the report's findings. "Transparency is critical to security. By hiding the full impact of an attack, it becomes more difficult to assess the risk and improve your security posture to prevent future attacks."

All this comes amid a rise in the ongoing use and abuse of the web for cyber espionage and the emergence of cyberwarfare capabilities. And the rising sophistication of cyber criminals who are creating best practices and operating more business like. So while today's stakes may look like passwords and user names, the real issues may go deeper into strategic and sensitive data that companies and governments don't even know is missing.

Perhaps the perfunctory corporate hack excuse of "sophisticated attack" is really just code for "we don't really know all that is missing."

It would be nice to believe that corporate systems are getting more seasoned and secured, but this week's 'Hack the Pentagon" program perhaps shows the true state of government systems, and perhaps enterprises, too. The program's 1,400 certified hackers found 100 vulnerabilities in the Department of Defense's networks within a few weeks.

Security researcher Troy Hunt told the BBC recently that recent data dumps by hackers of information stolen years ago begs the question, "how many more are there in the 'mega' category that are simply sitting there in the clutches of various unknown parties?"

The statement is even more troubling when paired with comments earlier this year by Michael Rogers, director of the National Security Agency, at the RSA Security Conference. Rogers, explaining his key concerns over the next three years, noted that the majority of cyber attacks to date have been about data theft. "What happens when that same activity is used to manipulate data, software or products and we cannot trust the data? What do you do when you can't believe the data?"

The issue is how dangerous is it when stored data is manipulated and goes undetected, say the date when a dam's flood gates are to open. If hackers manipulate systems and alter data to change the gate's operation to when down stream rivers and reservoirs can't handle the torrent of water there could be tragic results.

Then the issue becomes human life, and not passwords and usernames.

See also:

Editorial standards