Security Experts:

The Risk of Triangulation: You May Just be a Piece of the Puzzle

As the world’s ongoing conversion to the digital realm continues, the risks involved with protecting sensitive information will only intensify.  

For security teams, this means expanding your view of risk and considering factors outside your company when evaluating potential motivations for a breach. Companies have to keep an eye on current events in ways that were never under IT’s purview in the past. And that means you have to bring in the right talent to do so.

Having that broader view is important because the different motivations behind today’s attacks mean they can seemingly come out of nowhere. How you look at the information itself is no longer the sole concern. Your organization and your data may just be a piece of the puzzle. 

One of the more intriguing ways this is playing out is in the murky world of cyber espionage—and just about every national government is engaged somehow. 

Perhaps the oldest and most widely known example is the Stuxnet worm attack on Iranian nuclear facilities a decade ago, widely attributed to the United States and Israel. Stuxnet was introduced to the facility—which had no internet connection—via hacks against partners and subcontractors working at the site. It targeted a specific type of equipment being used to control the facility’s uranium enrichment centrifuges, which is believed to have been identified in the background of a photograph. 

Stuxnet also illustrates how an attack on one entity may only represent an incremental gain and not the ultimate goal. Cyber espionage and criminal organizations realize that the value of a piece of data is much greater when correlated with other data sets. 

Data, after all, are just points of information, details from which real insight can be derived. Standalone pieces are rarely useful, but when data points are connected in context, they begin to tell a story. 

Today’s malicious entities are sophisticated enough to leverage different data siloes in ways that can be tricky to anticipate. And all of this is relatively new, simply because the level of information out there today was never available before. It’s easy for a company to be caught off guard. 

Take the hack of the U.S. Office of Personnel Management (OPM) that hit the headlines back in 2015. Clearly this was very sensitive information: names, addresses, phone numbers, even fingerprints of millions of U.S. government employees and their level of security clearance. 

The hack itself sparked fears of blackmail attempts, since federal background checks include deep detail on a person’s private life—vices, past relationships, criminal history, financial situations—which would be recorded in each person’s security clearance file. 

But as grave as that was, it may have become even more powerful over the past few years as the same malicious entity—thought to be related to the Chinese government—seems to be continuing its attempts to triangulate and correlate that information with other data sources. 

Soon after the OPM hack, there was an attack on United Airlines that compromised travel itineraries. United is one of the U.S. government’s primary air carriers, ferrying diplomatic and military personnel all over the world. 

Correlating passenger information with security clearance information, then triangulating those points with destinations could have provided valuable insight into whether a potential spy was entering a particular country or neighboring ones, compromising U.S. national security, not to mention the personal safety of the employee. 

More recently, an attack on financial and credit reporting provider Equifax in 2017 has also shown signs of being linked to the same attackers. Compare this against the OMB’s practice of conducting ongoing credit reports on those holding security clearances. 

The point of OMB regularly pulling credit reports is to identify security clearance holders that may be putting themselves at risk of blackmail by foreign entities through financial difficulty. What if said foreign entity knew of the holder’s financial situation and was able to offer a remedy before the OMB became aware of it? 

It all becomes more alarming on the heels of former CIA case officer Kevin Mallory’s recent conviction on charges of espionage and lying to the FBI. Mallory was recruited by Chinese intelligence in early 2017, and was a prime target for compromise with a failed business putting him thousands of dollars in the red and behind on his mortgage. He faces a possible life sentence in prison at a hearing later this year. 

So far no one has linked the Equifax breach and Mallory’s recruitment into espionage, but it’s not hard to see how that could have happened and that there may be more such stories on the horizon. Any sophisticated cyber-criminal organization could use these same techniques, no matter what their motivation is.

As such, these stories should be a warning shot across your bow. It’s no longer enough to protect your own IT systems as if you’re on an island. You have to be thinking about how your data might connect with data from other organizations or industries and how those combined data sets could be triangulated into a larger picture that ultimately puts you at risk. 

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.