Virtual Attacks – the Cheapest compromise of all.

I have been watching the growing discussion surrounding Mitt Romney’s tax return and PWC with interest.  What is fascinating is that the actual facts of the case are pretty immaterial.  The twitter feeds and blogs are buzzing with discussion (I am as guilty as the next man) surrounding  Mitt Romney’s tax return, PWC have vigorously rejected claims that their security has been breached.  The debate will roll on… and on…. till it is supplanted by another debate – but we will still read it and form our opinions!

The next stage will doubtless involve conspiracy theories – is this a marketing ploy by PWC? (unlikely but not impossible), is this a cunning trick to increase Mitt Romney’s news coverage?….who knows.  The key thing is that the majority of the debate is about the incident rather than the principal issue.

We, the global consumer base, fall upon these stories like a swarm of leaf cutter ants.  We snip them up and put them together in a shape that makes sense to us.  Unlike the “professional media” (!) many of us do insufficient fact checking before we move things on and thus the stories evolve.  The enormous speed at which information flies means that the evolution of a story often becomes the issue, rather than the issue itself.

We consume the information and we move on, having informed our opinions and made our decisions.  This morning’s news is history by lunchtime and the facts of the case have been consigned to the waste with our sandwich wrappers.  This is not a new phenomenon, but is exacerbated by the current high tempo news environment.

This situation provides a significant opportunity for attackers – especially in an economic environment where many organisations are vulnerable to adverse publicity, where bank covenants are at risk and where markets are volatile.  One doesn’t necessarily need to actually compromise a system – merely to create a credible enough story that a successful attack has occurred.  Business Systems (this is not just about technology as the Romney Tax return case shows) are often so complicated that it can be very difficult to confirm that an attack has not taken place.  This is especially relevant if the potential impact surrounds the integrity of information rather than it’s confidentiality.

The problem becomes one of trust – and the relationship we have with those on whom we are dependent. If an attacker can effectively and credibly target that trust relationship, using the turbo charged information superhighway, then perhaps it will save him from actually having to compromise any actual systems.

What can we do about it? – The answer is easy to say and harder to deliver…. We need to understand what we are doing and the services on whom we depend.  We need to understand our tolerances;  what compromise we can or cannot do without.  We need to understand when a problem becomes unacceptable.  Finally we need to have thought about what we are going to do when the inevitable happens.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Posted 6 years ago on · Permalink