Home » Posts tagged 'Integrity'
Tag Archives: Integrity
Fake News
“Fake News”, misinformation, has been in the News recently.
2016 was the year when deliberately misleading “news” stories, used to manipulate public opinion and to directly influence events, really came to the fore. So, what has this to do with businesses, and why, as an Information Security Specialist am I interested in it?
It can be a significant threat to a business – either directly, where fake news has been made to damage a company or influence it’s share price, or as a result of a different attack.
This relates to the circulation of “incorrect information” that is a threat to the business – analogous to the use of incorrect information within the business. The key difference is that the incorrect information is not held and managed by the business.
So, how do you mitigate the risk?
- Be able to respond quickly to fake news:
Have a Response Plan, know in advance who will be involved in the response, and how you will co-ordinate and manage this. - A credible and engaging reply to the story.
This will depend on the nature of the threat facing you. - You also want to ensure that any insurance you have covers such events to mitigate any significant financial loss or damage to the business.
A major problem in addressing such a fake news story is that responding and not responding may both cause an escalation by the attacker:
- Well, it must be true because they obviously can’t correct it or deny it. Or,
- Well, they would deny it wouldn’t they.
This means that you will need to have expertise available to support you in minimising the damage.
Internet of Things: Confidence not Confidentiality
The Network of Autonomous Devices is forming; small things talking to each other, making decisions based on their exchanged information about how to manage the world around us.
Attacks are now being seen against these networks, both by researchers and by those with malice aforethought. In addition to using the devices to undertake tradition computer based activities, such as Denial of Service launching, many of these attacks have had an end objective: To take control of machinery.
Much has been said about security within cars, where attacks are performed by, for example, presenting fake throttle data to the engine management unit, or pretending to be the vehicle’s wheel rotation sensor to get the ABS controller to release the brakes – because if it believes that the wheels are skidding it will do what it is designed to do.
An attack against a building can be imagined where wireless temperature sensors are blocked and spoofed to mis-inform the HVAC system, which in turn will render the building unreasonably hot, or cold, making it unusable to a business. Or overheating a datacenter shutting it down. A disruption and cost to a business.
The opportunities for spoofing information to create a change are endless.
The The Internet of Things requires there to be confidence in the information being used.
- Are you confident that the device you are getting the information from is actually what it claims to be. Is it really the front left wheel rotation sensor on this car? or is it something else pretending to be?
- Are you confident that the information it is sending has not been tampered with? Is the temperature received from that sensor is sending really what it is sending?
- What do you do if you mistrust the device? What assumptions do you make? How do you re-establish trust with that device? How do you report it? and will who is being informed react to it correctly?
Yes, Confidentially is important, the data you are sending may be personally identifiable. However, the Integrity of the data, the Confidence you can have in it, is crucial.
Why Confidentiality, Integrity, Availability?
Security Standards, such as ISO27001, talk about protecting the Confidentiality, Integrity and Availability of information.
- Loss of Confidentiality is embarrassing, can damage a business’s reputation, result in regulatory fines, and can have legal consequences to the directors.
- Loss of data Integrity means you no longer trust what the business is doing or saying: incorrect orders, false wage payments to non-existent employees, abusive PR from a hacked Twitter account or Website.
- Loss of data availability means you have no information to act on. No customers, no orders, no finances.
These are all Business Issues, not fundamentally technical issues.
