10 Apr 2019 in GDPR, General Cybersecurity Topics, Managed Security, Phishing, Security News, Social Engineering
The Weaponization of Data
Organizations collect massive amounts of data about their users. If you have a social media account, think about how much a person could learn about you just by reading your posts.
Unfortunately, some organizations have figured this out, too, and use this information to their own gain. Whether a company is selling collected data, or information is illegally obtained from them through a breach, weaponization of data is a significant threat.
Data Acquisition Through Breach
Data breaches are growing increasingly common. Every year from 2016 to 2018 users experienced more than 1,000 breaches in the US. That’s more than three breaches per day.
In 2018 alone, there were more than 446.52 million breached records, meaning that every US citizen’s data was stolen 1.36 times on average.
But not every data breach is created equal.
For instance, many include the loss of email addresses and possibly hashed passwords. Depending on the site (and the strength of your password), this could be a non-event.
The impact of someone finding out that you have an Amazon account is minimal.
On the other hand, a leak of even just email addresses for a site like (ah-hem) the Ashley Madison breach can have a major impact.
On the other end of the spectrum are breaches like the Equifax hack, the OPM leak, and the countless leaks by healthcare providers. These breaches contained a large amount of sensitive data about the affected parties, which could be very dangerous in the wrong hands.
In general, it’s best to assume hackers have access to a fair amount of information about you that they can use in their attacks. While this is worrisome, what’s worse is that even groups with “legitimate” access to your data may be using it for undesirable purposes.
Legally Obtained Data
There are many ways for bad actors to legally obtain data. For instance, companies that collect data through selling their own products and services have found an additional – and lucrative – revenue stream in the selling of this data.
There are also tricky yet legal ways to get users to agree to giving access to their data, such as through surveys and online quizzes. Let’s explore one well known example:
Inside a Data Weaponization Project
Virtually everyone has heard of the Cambridge Analytica scandal. Cambridge Analytica was a voter research firm hired by the Trump team for the 2016 elections. The company created a Facebook app that asked users to take a personality survey. Part of this process was for users to voluntarily give Cambridge Analytica access to their Facebook profile…and all the data contained within as well as that of their friends for use in “academic research”. Legally collected data included the users’ identities, Facebook friends, and likes.
Based upon this data, Cambridge Analytica was able to build profiles on 50 million Facebook users. This data was used to target political ads to the specific personality of each user in order to maximize their impact.
Facebook claims they moved to block the misuse of the app and ordered destruction of the data as soon as they learned of it (December 2015); however, recent information shows they knew of it three months earlier (October 2015) and did not act on it.
Scope of the Threat
Data weaponization is a significant threat to everyone’s privacy and security. Many organizations have collected massive amounts of users’ personal data as part of their daily operations. If used only for the intended purpose, this data can be invaluable in improving and providing the services they offer.
However, many recent events have demonstrated that organizations regularly use collected data for purposes that were not authorized or expected by the customers. A common example is free social media platforms. They are expected to fund themselves by advertising, but often sell user data to supplement this income.
Targeted advertising can be (and is) used for a variety of purposes. Social engineers with access to the data can use it as the basis for attacks to gain access to networks or other sensitive data.
GDPR and Consumer Privacy Laws
The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018, replacing the Data Protection Directive. GDPR expanded and more specifically defined the requirements that an organization had to fulfill to be permitted to store, transmit, or process the personal information of EU citizens. It also facilitates citizen’s right to be forgotten. This framework represents the most sweeping change in data privacy regulation in decades
As we explored in our article, “The Changing State of Consumer Privacy”, GDPR set a strong precedent and unleashed pent up demand for US regulations protecting consumer data.
At the federal level, privacy protection is industry-dependent. Regulations like HIPAA and PCI DSS protect certain types of personal data under certain circumstances.
In the absence of a federal comprehensive framework, many states have independently decided to follow the lead of the EU and pass consumer privacy laws.
The simple answer to how to protect yourself from data weaponization is to not put any of your sensitive data where it can be collected. This includes any device connected to the internet.
However, this is almost infeasible in the modern world. Even if you keep your personal data offline, others do not.
Legitimate providers like credit monitoring companies (like Equifax) and healthcare providers have been breached, leaking their stored data on the black market.
The best solution is to minimize the amount of data that is placed on untrusted platforms:
- If social media doesn’t need information such as your home address (and it doesn’t), then don’t provide it.
- Consider using a separate email address than the one used for banking, etc. when signing up for social media sites and other untrusted websites.
- Always use unique passwords (and a password manager) for each site.
Unfortunately, most of our personal data is probably already “out there” and it can’t be changed once it’s been breached. Take a second before clicking or downloading, look at what you see with a skeptical eye, and verify any facts before you trust them on the Internet.
Protecting Your Business
If your company is just getting started with information security, a cyber-risk posture assessment is a good way to establish a benchmark. This is a comprehensive security-focused analysis of every aspect of your business, from hiring practices to physical setup and network infrastructure.
Sword & Shield’s Strategic Security Assessment provides critical insight and information you need in order to develop the most effective strategy possible specific to your organization.
Organizations with a mature cybersecurity program can benefit greatly from penetration testing services. Pen testing simulates the tactics, techniques and procedures (TTPs) of real-world attackers to identify your security weaknesses before they’re exploited.
Learn how vulnerable your critical assets are to cyberattacks and how to protect them with Sword & Shield penetration testing services.
Managed Security Services
For companies who need around-the-clock and advanced protection, managed security services provide constant monitoring, threat intelligence, incident response and more without placing the burden on in-house security staff.
A managed security service provider (MSSP) supplies companies with focused expertise to keep up with emerging trends and attacks as they progress geographically from their point of origin.
Ranked globally as a top managed security service provider, Sword & Shield provides expert outsourced data protection from our SOC 2 certified security operations center (SOC) at a fraction of the cost of operating your own facility. Download our e-book, “In-House SOC vs. MSSP” to learn which solution is right for your organization.
Phishing is an attack in which a bad actor uses email or messaging through a social media platform to trick you into opening a link or an attachment. It can also be used to fool you into entering passwords or personal information on a fake website designed to look legitimate.
Praying on cybersecurity’s weakest link, the human, phishing attacks are the most common method of delivering malware to a user’s computer.
Testing and training your workforce regularly is a good way to create awareness and help your team to develop healthy skepticism when viewing and acting upon the information they receive. Conducting these exercises in a safe and controlled environment increases awareness and proactively heads off falling prey to a real attack.
Sword & Shield’s phishing services use simulated real-world email-based scenarios to test and train your team members regarding this dangerous type of social engineering. Download the report “Phishing by Industry” to learn more about your vulnerability to this threat.
There is much we can do personally and professionally to curb data being used as a weapon. This requires diligence and constant attention, but it can be done.
Request a consultation from Sword & Shield to learn more about protecting your organization.