[BreachExchange] Lessons Learned From This Year's Biggest Security Breaches

[Audrey McNeil]

https://dzone.com/articles/lessons-learned-from-this-
years-biggest-security-b

As the year draws to a close, we can look back on 2016 and see what
challenges the security industry has had to overcome. Jumping on this
bandwagon a bit early, I hope to draw attention to some of the more
difficult challenges our industry will face in the coming year. In order to
do that, I’ll point out the most newsworthy breaches of 2016.

Significant Security Breaches of 2016

The attack on Dyn, Inc. DNS service made the news this year because of the
sheer number of resources brought to bear against a single target. This was
the largest ever DDoS attack to date. A DDoS (Distributed Denial of
Service) attack uses many individual computers to request files or services
from a single server. It takes place on such a scale that it overwhelms the
victim’s ability to respond, effectively knocking it offline. The reason
this is so impressive is that it reached data traffic levels exceeding
anything measured before. In this case, exceeding 1.2 terabits per second.
The size of this attack resulted in a large number of Dyn’s clients going
offline for a period of time, including Twitter, Spotify, and GitHub. The
novel thing about this attack is its composition of a botnet of IoT
(Internet of Things) devices.

Fix IoT Security Issues Before They Disrupt Your Business

In November, the San Francisco Municipal Transit Authority (SFMTA) was
penetrated by an attacker who infected over 900 computers with ransomware.
Ransomware is malware that encrypts various files on a computer. It then
requires a decryption key to unlock them. This key is usually only provided
after the victim has transferred the ransom using Bitcoin. As a result of
the breach, the public was able to ride for free until the mess was
resolved. Additionally, the ransom wasn’t paid because backups were
available. The entry point of this attack was an Oracle server vulnerable
to the year-old “unserialize exploit.”

Interestingly, one of the biggest security incidents in 2016 didn’t
actually happen in 2016—it happened a couple of  years ago. The Yahoo
breach, exposing 500 million email accounts, is the largest ever. The
actual vulnerability that resulted in the breach hasn’t been disclosed as
of yet. Keep in mind, a data breach of this size is unprecedented, which is
probably why Yahoo is reluctant to release the details.

Early this summer there was an attack on the DNC (Democratic National
Committee). The number of stolen emails isn’t close to the millions of
accounts exposed in the Yahoo breach. However, the nature of this attack is
what makes it a very important breach to include. The attack was carried
out by Russian hackers in an attempt to influence the 2016 presidential
election. This is cyber espionage at its highest level.

Nothing New Under the Sun

What do these attacks have in common? Nothing really groundbreaking or
earth-shattering. The techniques that attackers used have been around for a
long time. What has changed is the scale and the aggressive nature of the
attacks.

The number of email accounts stolen from a single company, Yahoo, is more
than have been stolen in a single previous year. In the past, DDoS attacks
could knock a website off the Internet for a short amount of time. But to
take down a huge swath of well-known, well-resourced companies for half a
day? That had never been done before.

Attackers have been automating the search for older unpatched
vulnerabilities for years. With the sheer size of the Internet, coupled
with the ease of deploying ready-made exploit kits, it’s easier than ever
to monetize any attack campaign. The attack on SFMTA demonstrates that
fully-automated AppSec weapon systems are on the horizon. Whether that
system is used for monetary gain or for some other nefarious goal, it’s now
not only easily imaginable—it’s possible.

Actionable Ways to Protect Your Organization

As we can see from the biggest breaches of 2016, software is under attack
from multiple angles. Security professionals have been pointing out these
problems for years. For example, hardcodedpasswords should never occur.
Ever. They will be abused. This was part of the problem with the IoT botnet
that took down Dyn’s service. The Mirai botnet software used hardcoded
passwords to access thousands of IoT devices.

It’s also extremely important to keep software up to date. The unserialized
exploit on the SFMTA was over a year old. It had also been patched by
Oracle. Penetration testing and software library audits may have helped
identify this problem before its exploitation. Software cannot be deployed
and then forgotten. It must be maintained and kept up to date with the
latest patches and security fixes.

The Yahoo breach illustrates that when a breach does occur, the company
needs to properly disclose what has happened. There should be proper
policies regarding the handling of the incident, as well as how it’s
reported to the media and regulatory bodies. After all, it isn’t possible
to stuff the genie back in the bottle. The stolen data will show up on some
dark Web market for sale. It will then most certainly be reported to the
media. By that time, the opportunity to get out in front of the situation
is lost.

In the case of the DNC hack, there are some sophisticated adversaries using
advanced techniques to commit espionage against the government. By
understanding the types of attacks that are happening in the wild, it is
possible to apply them to your environment via Red Teaming exercises.

Ensure Your Network, Physical, and Social Attack Surfaces Are Secure

A Red Team engagement is like a pen test for your network and physical
security. It includes social engineering tasks (e.g., phishing) with a
specific goal or target in mind. These are the same approaches used by
nation-state actors to gain access to corporate and government networks. As
such, performing them on your company’s resources gives you an
understanding of potential weaknesses in your defenses.

Summing It Up

These aren’t the only breaches that occurred in 2016, but they are very
representative of what will go on in 2017. We’ll see more breaches, and
we’ll see them on a larger scale—either with more accounts or larger data
sizes. Not only will email accounts be stolen and monetized, but the very
documents on corporate networks will be held for ransom and for larger
payouts. Hacking for political secrets will also happen more frequently as
we move into a new government. Attackers are becoming more experienced and
bolder because of it.

Take the time to learn how the breaches of the past year can be applied to
your specific environment. This will help you gain an edge in securing the
data you manage in the next year.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161209/e5109736/attachment.html>