Should you be afraid of the big bad data?
Created: 09 Nov 2012
Throughout recent decades, cybercriminals have proved to be pretty adept at turning innocent technologies to dastardly ends. From Word macros to Google docs, email to cloud-based processing, each time some clever individual comes up with a good idea, some equally bright bad guy thinks of something nefarious to do with it.
The latest buzz around 'big data' - a.k.a. the ability to derive insight from huge quantities of information - is likely to prove no exception. Forewarned is forearmed, as they say, so what kinds of risks does big data bring, and what can organisations do about them?
To answer this, we can first look at the two main areas where big data is said to be of benefit. First, it is seen as an extension to traditional analytics, offering (in the simplest terms) mechanisms to derive insight from larger quantities of information than in the past.
Second, given its provenance from the kinds of highly scalable online platforms we see today - for example Google and Twitter - big data is also discussed in the context of aggregating and analysing such online information. Put the two together, goes the argument, and you have access to a massive seam of information, if only you have the means to mine it.
It doesn't take much of a leap of imagination to work out how such models could be used for ill. The identity-related attacks we saw last year (for example, making off with the user profiles of PlayStation customers) provide similar quantities of information to those available to companies (say, Sony). There's absolutely nothing to stop ill-meaning programmers from linking such data to publicly available information from other sites, and building a better picture of the individuals concerned.
There is a school of thought which argues that the risk of such information being abused is relatively low. After all, we are told, the bad guys already have more credit card information than they know what to do with - while we might all be subject to attempted fraudulent use, the chances are small.
However, the ability to derive insight from these huge pools of information suggest a greater risk. Not only, for example, building a greater understanding across a range of individuals, but also identifying those who might offer greater opportunity – for example, people who appear to travel a lot might well be relatively well-off. Once targets have been identified, the mega-pool of information can be used to focus an increasingly clever range of attacks.
To counter these risks, of course organisations need to continuously assess how well their systems and databases are protected. However as the challenge moves online, there is no substitute for individual vigilance, both from a corporate perspective through definition of appropriate Acceptable Use Policy and for individuals, keeping an eye on one's own social presence and how information is presented to any third party, be it gaming sites or otherwise. "If in doubt, leave it out" is good practice, particularly when it comes to sharing location information.
No doubt we shall see significant advances in the big data space over the next year or so. Not least in how analysis of aggregated information can help identify criminal activity and even lead to prosecutions. At the same time however, legacy security holes and new exploitation mechanisms offer an increasing range of opportunities for the bad guys. If the world's information resources are set to become a battleground for cybercrime, the biggest losers will be those who thought such attacks only every happened to other people.