2014 has been a very bad year for data security. Many of these attacks have made the news, starting with Target and ending with Sony. Unfortunately, the majority of data breaches never make the mainstream media. If you ever think that data security is improving, check out Hackmageddon.com. They put out a fortnightly report on worldwide cyber attacks. The November 16-30 report, for example, lists 36 attacks in just those 14 days. To me, some of the more interesting attacks:
- ISIS social media is hacked, replacing a threatening message from the group’s leader with a song along with a logo similar to that of the Egyptian military.
- The US State Department is forced to shut down its unclassified email system.
- The entire City of Detroit database was encrypted, and the hackers demand a ransom of 2000 bitcoins (about US$800,000). The database is still down.
- The hacker group Anonymous had a busy fortnight: they deface the City of Ottawa web site, take down websites of the Supreme Court of Canada, Ottawa Police, several police organizations in Italy, and the City of Cleveland.
- The Syrian Electronic Army redirects the Internet traffic of a customer identity management platform to its servers. Among the many sites affected are CNBC, the Canadian Broadcasting Corp, and the Boston Globe.
- Healthcare will see a substantial increase of data stealing attack campaigns. Attackers are after the medical records and patient data. These records contain personal information including links to insurance and financial accounts that can be used in additional attacks and fraud. I have recently posted about this issue in general and how the shift to electronic medial records is actually increasing the risk. Websense expects these attacks will rise in frequency and success in 2015.
- The “Internet of Things” refers to the increasing connection of almost anything to the Internet: you are probably aware of your car; your house including appliances and security devices; individual and government security cameras; and electric and other utility meters. The real danger is not your personal gadgets, but the devices that control our electrical grid, oilrigs, dams, water supplies, traffic lights, and manufacturing lines. Websence expects increased attacks from multiple sources on these devices. For your business, this is the next attack opportunity phase after your BYOD (bring your own device) initiatives.
- Credit card attacks will continue, but as the value per card decreases due to increased security by the card processors, Websense expects these cybercriminals to expand the information they steal, and aggregate that information for individuals from related sources like loyalty programs and medical information. Then they can sell complete personal identity dossiers.
- Your smart phone and tablet will be attacked, but not for stealing the data that is on the phone, but rather to gather information for later credential stealing and authentication attacks to all of the data you have access to in the Cloud. As more and more of us use the mobile device as part of our authentication process when we access the Cloud, Websense expects attacks involving malware that intercepts the authentication elements turning your device into a man-in-the-middle attack, perhaps even enabling the cloning of your mobile device. The result: the cybercriminals will have the same access to the personal and corporate data that you do.
- Newly discovered vulnerabilities in old code. We have recently seen examples such as Heartbleed that take advantage of vulnerabilities in open source code. There are probably hundreds of similar vulnerabilities, and many are probably already known to hackers. There are probably thousands of vulnerabilities in proprietary code such as Windows and the huge supply of legacy code still in use, some of it decades old and written in an entirely different security landscape in a pre-Internet era. Little of that code has been properly checked from a security perspective. Websense expects at least one major breach of confidential company data based on “undiscovered” old code vulnerabilities.
- Email threats will evolve to a new level of sophistication. Websense expects a general decline in the amount of spam, but the new spam will increasingly get through your corporate or ISP spam filters and reach your mailbox. These new messages may not contain a link or even some form of obviously spam message, but are actually the first reconnaissance step in a continuing attack.
- As your company increases its use of Cloud and social media tools, like Google Docs, these approved cooperative tools will become part of the attack structure. Cybercriminals will migrate their command and control infrastructure into these approved channels thus escaping detection by your company’s network monitors. Websense expects these compromised approved site to hide data-security attacks.
- New players will join in the current Cyber War. Unlike existing measures designed to limit access to strategic weapons (like the nuclear non-proliferation treaties), there is nothing to limit the ability of countries, rebel groups, and others with nationalistic interests to engage in cyber war. Even potential future international treaties, which may have an effect on some countries, will have no effect on organizations like ISIS or rogue countries like North Korea. Because it is relatively inexpensive to organize a cyber-terrorism or cyber-warfare organization, it does not require a large First World country to support such activity. Websense expects one or more cyber-warfare attacks from countries with high forecasted economic growth in order to protect and advance their growing influence.
All in all, it appears that 2015 will be a very interesting time in cybersecurity.
The last word:
When your company is attacked, are you ready? Can you afford not to be ready?
At an absolute minimum, keep your operating systems and malware software up to date. Microsoft’s December Patch Tuesday contained seven security updates including three critical security patches ending a year of far too many serious flaws in Microsoft software.
Are you still running Windows XP? If so, make a New Year’s resolution to get completely off XP by the end of 2015. It is far too dangerous to keep running it.
Keep your sense of humor.