Many have called 2014 the “year of the breach,” but these attacks are not a new phenomenon – companies have been dealing with cybercrime at various levels for years. That being said, these attacks have certainly evolved over time.
Ghosts of Security Past
The Ghost of Security Past is the “classic” breach. These happen when security teams are ignoring the basics, including:
- Patching and updating
- Good fundamental policies
- Security education
- Encryption where it’s warranted
- Serviceable perimeter protection
- Identity and access management
Attackers will plug away at a company’s network until they find a vulnerable system that was overlooked, a user who doesn’t know better than to click on a phishing link, etc.
The Ghost of Security Past paid a visit to eBay this year. Back in May, the auction site and global retailer was hit by an attack that compromised its main database, allowing hackers access to the encrypted passwords, emails, registered addresses, DOBs and phone numbers of 233 million users. eBay revealed the hackers had gained access into the system in both February and March, meaning they had a number of weeks to collect and decipher information within the website’s databases before launching their full attack in May. This is an attack that could have been prevented, and likely eBay’s security team found the issues that needed fixing as part of their incident review.
Ghosts of Security Present
The Ghost of Security Present appears in the form of a retail breach. This year, major stores like Target, Neiman Marcus, P.F. Changs, Home Depot, Michaels, Goodwill, Jimmy Johns, UPS and Bebe all experienced very public breaches, and many more went unnoticed due to smaller size and impact. The personal information of tens of millions of customers has been compromised, and I don’t expect this trend to let up anytime soon. The credit card bad guys have figured out how to crack POS systems, and they’re working their way through the retail industry. Obviously, the retail industry hasn’t found a way to get ahead of the attackers yet, since we’re still hearing about a new, major retail breach every month or so.
Ghosts of Security Future
The Ghost of Security Future is the reality we all need to be ready for: nation-states attacks on non-government infrastructure. We saw a striking example of this when JPMorgan announced some 76 million households were affected by their breach in October. When it was revealed that 13 other financial institutions were also targeted by the same group of attackers, it became clear that we were not dealing with your average band of cybercriminals – launching that many sophisticated attacks simultaneously is no easy feat. At this point, there is little doubt the Russian government was involved.
Most recently, the Sony Pictures hack has grabbed hold of the headlines. Internal emails, social security numbers, addresses and other personal employee and client information has been exposed, a movie has been “cancelled,” and while the full story of this breach is still unfolding, one thing is very clear: you do not want something like this happening to your organization. The culprit? Apparently, North Korea.
The capability being demonstrated here is sophisticated, and all critical infrastructure organizations (financial services, healthcare, public utilities, state and local governments, etc.) need to consider that they could be the next target. About 85 percent of all network security infrastructure is in private hands. If we are truly seeing nation-state attacks turn against private institutions, the organizations making up that 85 percent need to take action to improve their security posture. At the moment, they simply aren’t ready for this type of attack.
The ghosts of Security Past, Present and Future all have something to teach us. Let’s make 2015 the year that we take security seriously and get ahead of these threats.