It seems just yesterday that we were entering 2015 on the heels of a historic 2014. The size, scope, and severity of IT security incidents caused some experts to name 2014, “The Year of the Data Breach.” Twelve months later, it seems that too little of what inspired the title for 2014 changed in 2015. Let’s take a moment to reflect back on the major security incidents and trends of 2015, as well as what lessons we can take with us into 2016.
In January, the security community was still focused on the hack of Sony Pictures Corporation, which occurred in November 2014 and was estimated to be one of the largest ever, in terms of the 100 terabytes of data the attackers claimed to have stolen. One of the trickiest angles to the Sony story – and a topic that resurfaced in discussions and debates about other incidents throughout 2015 – was the difficulty of attributing the attack with certainty.
Then news broke of the attack on Anthem Inc., the second largest U.S. health insurer. The breach is confirmed to be the largest known involving personal healthcare data. Within days, two other health insurers – Premera and Lifewise – found evidence their networks had been breached in separate, unrelated incidents. While these were not the first notable attacks on the sector – Community Health Systems and Texas Health and Human Services had suffered significant breaches in 2014, for instance – it reminded the security community of the extent to which this sector is targeted. It also renewed scrutiny of the troubling security practices (e.g., failure to encrypt data) that persist throughout the industry.
These breaches also highlighted a key difference in the potential consequences for victims who have their personal healthcare stolen versus personal financial data. Consumers are not liable for fraud resulting from the use of stolen financial data, such as credit card numbers, but stolen healthcare data opens possibilities to new types of fraud, some difficult to detect and many which have no consumer safeguards in place.
Government Victimized, Too
This has not been a good year for government IT security. The White House, the Pentagon, and the Internal Revenue Service suffered high-profile hacks, but perhaps the most consequential breach of the year occurred at the Office of Personnel Management (OPM).
One of OPM’s most important functions is to administer security clearances for government and contractor personnel. Anyone who possesses a clearance to access secret government information must undergo a substantial background investigation, in which applicants detail practically every aspect of their current and past life. The attack on OPM revived discussion and debate about attack attribution, with most pointing to China and others to Russia.
Just as importantly, it raised concerns about the impact on national security. The attack is estimated to affect over 21.5 million people and included the theft of Social Security numbers, financial histories, and 5.6 million fingerprints, which are a critical component of widespread government and burgeoning financial biometric security systems. The ramifications of the OPM breach on national security are likely to play out for decades to come.
New Trend: Cyber Extortion
If OPM was the most significant breach of 2015, then the most-discussed was that of AshleyMadison.com, the controversial website created to facilitate adultery. In addition to spurring social and cultural debates, this breach introduced a new angle to a broader emerging trend: Attackers’ use of compromised data to extort victims.
However, the more widespread and concerning trend in cyber extortion remains the ongoing evolution of ransomware. Many individuals and reputable businesses have fallen victim to these attacks. Since 2012, when the first variants of the now-infamous CryptoLocker surfaced, the ransomware market has thrived. As we saw with several new versions of CryptoWall released this year, criminals are increasingly operating like traditional software companies. This was also the years we saw ransomware evolve to target mobile devices running Android and Apple iOS operating systems.
Ransomware was not the only new threat to mobile devices. In addition, the Stagefright vulnerability, which affected all versions of the Android operating system, followed in the footsteps of open source technology bugs discovered in 2014, such as Heartbleed and POODLE. These attacks are troublesome because they target vulnerabilities in software or technology that is implemented across many devices and platforms. Such widespread use, in turn, amplifies the potential impact of successful attacks. As mobile payment and mobile point-of-sale (POS) technologies usage continues to increase, so do threats and vulnerabilities, making secure mobile, BYOD, and network implementations even more important.
For many of the threats we saw in 2015, phishing remained a popular method to initiate attacks. Phishers evolved tactics to develop more convincing campaigns, which employed proper writing and recognizable visual branding (e.g., logos) to mimic communication from trusted companies to consumers. The most common methods continued to be variations of incorrect billing statements and malicious prompts to reset account passwords. State actors also continued to use sophisticated phishing techniques to gain entry into corporate and government networks. Some phishers revived an old school hacking tactic in the delivery of malware via macros in Microsoft Office documents.
Malvertising continues to plague websites ranging from email providers to major publishers. Malvertising is particularly sneaky because infection can occur just by clicking an advertisement or loading a web page (e.g., drive-by download). The problem is expected to worsen before improving, although the increasing use of browser plug-ins to block ads and prevent execution of embedded website scripts by default should help.
Among the most concerning new areas for potential attacks is the Internet of Things (IoT). Gartner predicted a year ago that 4.9 billion new things would come online in 2015. Meanwhile, security researchers proved all manner of networked things are hackable, from a Jeep to nine baby monitors. As we close out the year, devices ranging from heart monitors to refrigerators are receiving renewed security scrutiny. Expect to hear much more in 2016 about the security vulnerabilities inherent to the IoT.
Even as we forge toward new technological frontiers through an evolving security landscape in 2016, basic security principles remain valuable. For starters, know your people, processes, and technologies – and the potential vulnerabilities in each. Know who’s on your network and who has access to which resources. Consider ways to improve monitoring, detection, containment, response, and recovery. Exercise good password hygiene, back up your data, keep software patched, and be skeptical of unexpected or suspicious emails. If you have questions, we’re always just a phone call away.