Cyber Security: Don’t Ignore Data Integrity
November 3, 2016 | Security and Risk | John Worrall
Cyber security is an enabler of the digital transformation of business. While Information Technology allows the rapid delivery of goods and services and the real-time understanding of customers, markets and industries, security enables companies to use technology by ensuring that data remains protected.
Confidentiality and availability are two essential elements of cyber security and data integrity is equally critical. Integrity ensures the accuracy of data used in business processes and transactions.
It can be difficult to prevent or even detect the theft of data. Breaches can go undetected for months, and often the victim is not aware of the loss until it is discovered by a third party, such as the FBI. Detecting the corruption or alteration of data can be even more difficult. If the data remains in the appropriate format, tampering can be less evident than theft, although the value of the data can be seriously affected.
Companies must consider not only the integrity of data in databases and applications, but also of data that has been backed up for use in disaster recovery. The National Cybersecurity Center of Excellence—a partnership between industry and the National Institute of Standards and Technology (NIST)—was formed to address the most pressing cyber security challenges to business. One of these challenges is assuring the accuracy of back-up and recovery data. Key questions being addressed by NCCoE include:
- How to tell what data was corrupted, when, how and by whom it was corrupted.
- What was the impact of the data corruption?
- Which backup version should be used to recover data?
Confidence and more at stake
A company that is not sure of the integrity of its data cannot be sure that critical operations are being carried out properly, that correct decisions are made, or that the appropriate goods and services are delivered to customers and received from suppliers.
This can have a direct business impact, resulting in mistakes and missed opportunities, wasted money and lost income. But beyond these immediate losses are the broader problems of public confidence and brand reputation. A company that does not effectively serve its market can lose the confidence of its customers, resulting in long-term damage to its brand.
Legally, data integrity is necessary for non-repudiation—the ability to ensure the authenticity and accuracy of agreements and transactions. It also is required by government and industry regulations, including the federal Health Insurance Portability and Availability Act (HIPAA) and the Payment Card Industry Data Security Standards (PCI DSS).
The issue of data integrity has recently come to the forefront in the public sector with concerns of possible foreign tampering with U.S. election systems. These concerns resulted in a warning from the Department of Homeland Security and the Director of National Intelligence, urging “state and local election officials to be vigilant and seek cybersecurity assistance from DHS,” to ensure the integrity of election data.
A powerful tool in ensuring data integrity is hashing—using a cryptographic algorithm to reduce a file or data element to a short string of numbers called a hash or a message digest. Done properly, this message digest is unique to the piece of information being hashed, so any change in the data will produce a completely different digest. A comparison of digests from a Secure Hash Algorithm (SHA) will immediately indicate any change in the data.
NIST last year approved a new hash standard, SHA-3, a “next-generation tool for securing the integrity of electronic information.” The new algorithm did not replace the existing SHA-2 algorithm, which appears to have years of life left in it, but is a backup put into place against the day SHA-2 becomes vulnerable to attacks. The SHA-1 algorithm no longer is recommended for use.
Basic cyber security practices, including encryption, monitoring and access control, also can help to ensure the integrity of data in your systems.
Encrypting data at rest and in transit makes it less susceptible to alterations. It would be difficult if not impossible for an adversary to modify ciphertext in a way that would not be readily apparent when decrypted. Appropriate access control policy and enforcement can help to keep adversaries away from the data, and network monitoring can identify suspicious activity as it happens, and provide a trail if a breach is detected.
The bottom line is, good cyber hygiene should include the integrity of data as well as its confidentiality and availability.