In the “arms race” between those responsible for high-level information in databases and those seeking to access it illegally, the scenario changes at a dizzying pace. As new programs and applications are designed, these in turn lead to way to further evolutions, and each development provides opportunities for errors in security protocols. It is likely the pace of this change will continue, just as database information storage has become the norm, and for the most privileged agencies and government departments worldwide. Such agencies secure certain kinds of data very well, and through the efficient means of limited individual having access. Nonetheless, immense damage may occur through ancillary modes of access, attacking, if not the core data, systems of great importance. This being the reality, it is then all the more critical that such information content be reclassified in such a way as to render more of it as protected as the most sensitive. This translates to “enlarging the vault” and placing the strongest protections on information still too easily accessed.
The urgency here is demonstrated by a recent and potentially devastating attack. In February of 2013, and due to flaws in Adobe Software, hackers were able to infiltrate a variety of European governmental systems, including that of the North Atlantic Treaty Organization (NATO). “MiniDuke,” the malicious software, entered through an unusual portal; once the virus had entered through PDF files, it was programmed to search for information logged in social media accounts which would allow control of the personal computer itself. The sophisticated virus focused on Twitter accounts, but was also enabled to employ Google searches to retrieve the controlling information. The attack was as well widespread, going to U.S. health care providers and a Hungarian research institute (Finkle, 2013).
NATO and other government entities are accustomed to such attacks, which occur virtually daily. Typically, security protocols go into effect before sensitive information is accessed. This attack, however, was of such force and design that it is believed a nation-state may have been responsible. Then, there is the important aspect of just how varied the targets were, sharing only the commonality of high-level data. Clearly, the threat was very real, as the levels of government potentially breached have not been identified publicly. To date, opinions as to the identity of the attackers range from China to students proficient in programming and possibly have no actual agenda (Finkle).
Perhaps the most striking element of the attack was the strategy of employing personal data to enter into privileged information channels. This was not software seeking to actually enter into databases, but to assume complete user control. This being the case, it becomes essential to comprehend how human social behavior conducted through the computer enables another point of attack access. This attack, again, had not reached the stage where real infiltration of information had occurred (Finkle), but there is cause for concern in the approach. As more users, and at all levels, increasingly explore social media, they create new windows in which hacking may enter and, as noted, merely by retrieving enough user information to masquerade as the user.
It would appear that, given the extraordinary range and sophistication of the MiniDuke attacks and others like it, governments must increase vigilance on the one point of entry securing information beyond all other measures: access points. With access rights strictly monitored, the usage of even “backdoors” of Google or any social network site should not avail the attacker. When an organization is of the size and importance of NATO, the emphasis on properly determining trustees of the key resources is all the more essential. Trustees are those select individual with coded access, and such a process of security is both reasonable and effective under normal circumstances (Newman, 2009, p. 176). Human beings, nonetheless, are fallible, and the more sensible course is then to secure more information in the ways protecting the most vital. This done, the attacker’s success in circumventing individual control becomes futile, because the most secured information store is expanded.
Finkle, J. (2013). “NATO, European Governments, Hit by “MiniDuke” Cyber Attack.” Reuters. Retrieved from http://www.reuters.com/article/2013/02/27/net-us-cyberattack-miniduke-idUSBRE91Q0OL20130227
Newman, R. C. (2009). Computer Security: Protecting Digital Resources. Sudbury: Jones & Bartlett Publishers.