[BreachExchange] 17 Things We Should Have Learned in 2017 But Probably Didn't

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 11 18:48:45 EST 2018


Before you make your cybersecurity resolutions for 2018, curl up with some
egg nog, sit by a fire, nestle yourself in the comforting sounds of loved
ones' voices in the next room, and spend some time reflecting on all the
cybersecurity resolutions you failed to fulfill in 2017, 2016, and 2015.

Chances are, you make similar resolutions every January 1st. Each year the
infosec headlines flood us with new cautionary tales, some trying to teach
us the same old lessons. Here are 17 things we should have learned from the
horrors of 2017...but probably didn't:

1. You need to know what data you have, and where it is.
It seems like a reasonable request. Keep track of the valuable assets
people give you, whether that be cash, a lawnmower, or personally
identifiable information. Nevertheless, it took Yahoo three years to
discover that they'd experienced a data breach of 1 billion accounts in
August 2013, and another 10 months to realize that (slight miscalculation)
three times as many accounts, in fact every single Yahoo user, were exposed
in that incident.

Credit bureau Equifax also had some trouble discerning the scope of its
breach - an incident that not only exposed nearly every American adult to
the threat of identity theft, but inspired new calls for stricter
regulations on data aggregators. Bolstering that argument: marketing firm
Alteryx's subsequent leak of extremely rich data on 123 million American
households, including 248 data fields covering everything from how much
they refinanced their home for to whether they prefer dogs or cats.

Breaches like this are what the EU's General Data Protection Regulation was
created for, and with GDPR enforcement actions due to arrive in May 2018,
lesson number 1 is something you ought to get hip to right quick. (Bonus
tip: don't set your AWS cloud storage bucket access permissions to "let any
AWS user download my database" like Alteryx did.)

2. How we respond to incidents is just as important as how we prevent them.
Equifax was going to lose some friends when they exposed names, Social
Security Numbers, birth dates, and addresses on 145.5 million Americans and
12.5 million Brits. They exacerbated the problem by waiting 40 days to
report the incident after discovering it. They made it worse by having a
website with poor functionality and conflicting information. Then, Equifax
offered victims complimentary credit monitoring - provided, ironically, by
Equifax - but only if the victim first provided their credit card number
and waived any rights to take legal action against the company. (They later
removed this clause, after public pressure). It was hard to imagine how
they could have bungled it worse.

Until Uber's news broke. Not only did the company choose to keep their data
breach (of 57 million drivers' and passengers' data) to themselves for a
full year, they paid attackers $100,000 to keep the secret to themselves
too (and delete the data, which reportedly appeared on the black market
anyway). The behavior was ethically questionable, and the lawsuits quickly
started to pile up on Uber; the city of Chicago and Cook County asked for
$10,000 per day for every violation of a user's privacy.

3. Social Security Numbers should not be used for anything but Social
Apparently this is something that still needs to be said. One of the
greatest concerns of the Equifax breach was the release of so many Social
Security numbers, which would not be a concern if SSNs weren't trusted so
implicitly so widely, and if they could be reset, reissued, or verified by
the Social Security Administration. For some reason, we continue to treat
an unchangeable, easily guessable, unverifiable set of nine numerals with
the same reverence we treat fingerprints.

4. Radio frequency communications need to be secured.
Interception of radio communications only became an issue about, oh, 100
years ago or so. Maybe we just need to give the manufacturers of radiation
monitoring systems, pacemakers, and other IoT devices another 100 years to
start using encryption (and strong encryption) on their RF protocols.
Non-WiFi communications in general need more security love in the IoT
world, as the Blueborne vulnerabilities in Bluetooth also attest. On the
plus side, security companies are beginning to address these issues, with
tools like Rapid7's RFTransceiver extension for scanning wireless devices
outside of 802.11.

5. ICS/SCADA needs special security treatment
The year began with the discovery that the 2016 electric grid outage in
Ukraine was caused by the first malware designed solely for electric grids
(called CrashOverride by some, Industroyer by others). By the end of the
year, the TRITON malware was disrupting ICS operations even while failing
to achieve its true aims. In between, the DragonFly (aka Energetic Bear)
APT group was looming over the US power grid, a PLC hack jumped the air
gap, and more.

A Honeywell survey found that about two-thirds of companies in the
industrial sector don't monitor for suspicious traffic and nearly half
don't have a cybersecurity leader. But don't sneer at them. Most of the
cybersecurity tools currently available are too invasive to be borne in
highly heterogenous ICS environments that have little to no tolerance for

6. You need to deploy patches faster ... no, really.
Equifax was compromised first in May, via the critical Apache Struts
vulnerability disclosed in March. When news broke, attackers were already
attempting to exploit the vuln and researchers urged anyone using Struts2
to upgrade their Web apps to a secure version. Clearly Equifax did not move
fast enough.

In fairness, patching is hard, and March to May isn't that much time for an
enterprise Equifax's size to complete the process. Organizations
nevertheless must inject some jet fuel into their patch management
processes because the vendors sometimes take their sweet time issuing
fixes. Microsoft, for example, didn't patch a Windows SMB bug until a month
after an exploit for it, EternalBlue, was publicly disclosed. The
EternalBlue exploit, which enables malware to quickly spread through a
network from just one infected host, was soon used in both the WannaCry
attacks in May and the NotPetya attacks in June. Despite the terrifying
(and highly publicized) nature of WannaCry and NotPetya, a scanner created
by Imperva researchers found in July that one of every nine hosts
(amounting to about 50,000 computers from what they'd scanned) was still
vulnerable to this exploit.

7. The NSA might not be the best place to put your secret stuff.
That EternalBlue exploit used in NotPetya and WannaCry was first stolen
from the National Security Agency and publicly leaked by the Shadow
Brokersgang last year. Attackers used it, as well as other NSA creations
like Adylkuzz, in a variety of campaigns in 2017. Plus, NSA software
developer Nghia Hoang Pho pleaded guilty to illegally retaining national
defense secrets and bringing them home, where they were subsequently stolen
by Russian state-sponsored actors. Although there was no indication that
Pho had malicious intentions, he is the third NSA insider in recent years
to be responsible for the misappropriation of highly classified

8. Cybersecurity failures are beginning to have significant market impacts
... sort of.
The incident at Yahoo - even before the full scope of it was discovered -
led the company to shave $350 million off the price when they sold the
company to Verizon for a paltry $4.48 billion (about a 7 percent discount).
Equifax's stock price dropped massively in the immediate wake of its
devastating and horribly mismanaged breach. By early October, though, it
had secured a new deal doing identity verification for the IRS and the
stock had nearly recovered. Three months later, the stock is even higher
than it was in September.

Security researchers are investigating other ways to use market pressures
to improve cybersecurity themselves. Meanwhile, organizations are getting
smacked by regulatory fines and legal settlements, like Anthem Healthcare's
record-setting $115 million to settle its 2015 data breach.

9. Integrity of data (and the democratic process) can be disrupted by more
than "hacking."
Depending upon your definitions of "cybersecurity" and "information
security," you may or may not feel that fighting disinformation is part of
your job description, unless there is some kind of hacking or malware
involved. Remember, though, that "integrity" is the "I" in the sacred
security C-I-A triad, even if confidentiality and availability get most of
the attention. So it is worth studying how attackers spread disinformation
campaigns, how disinformation have been used to disrupt elections in
Ukraine and the US, how attackers use fake social media profiles for
malicious purposes, how the FCC's Net Neutrality public comment process was
marred by the influx of millions of comments made with stolen identities,
and how social engineering in all its forms succeeds daily.

10. You really should refresh your DDoS defense and preparation plan.
If you didn't immediately start reviewing your DDoS defense and response
plans after Mirai hit last year, then perhaps news that DDoS attacks
doubledthis year, averaging eight attack attempts per day, will get you
moving. Or attackers' renewed interest in DNS, like, when they seized
control of a Brazilian bank's DNS infrastructure? Or the fact that WannaCry
and NotPetya caused major disruptions to production and operations at
companies like Honda and Merck? If not, it's time to start planning. And
don't forget to take a look at your DNS, and figure out how to protect your
cloud resources from ransomware.

11. You can't escape the effects of political and civil unrest.
Attackers have always capitalized on current events when writing phishing
messages, but unrest can also impact disaster recovery plans, security
software purchasing decisions, and the culture of the security team.
One-third of the over 250 respondents to an informal Dark Reading survey
say that the US political climate has already caused them to make
infosec-related changes to their business continuity and disaster recovery
plan; another 12% say they're considering making such changes. Federal
government agencies are removing Kaspersky Lab security software for fear
that the security company was influenced by the Russian government,
(shortly after President Trump tweeted that he and Russian president
Vladimir Putin had "discussed forming an impenetrable Cyber Security

12. Infosec workforce diversity is something you should actually care about.
The most mercenary reason cited for increasing the diversity of the
cybersecurity workforce is that there are many thousands of unfilled
security jobs that need filling, and we're missing out by not appealing to
more women and people of color. There are other, better reasons as well,
like treating people with respect, getting the best out of your staff, and,
maybe even better understanding an increasingly diverse group of threat
actors. Infosec leaders need to take steps to build a path to greater
diversity by revisiting hiring practices, making meetings more inclusive,
and being willing to "have the uncomfortable conversations" that lead to
greater understanding and better teamwork.

13. Bitcoin is awesome, once you take away the part about currency.
Gee, Bitcoin sure is great for paying ransomware operators and for debating
just how much volatility a financial system can bear. But the best thing
about it is the platform upon which it's built: Blockchain. The distributed
ledger technology essentially allows for the creation of a list of records,
each record cryptographically linked and secured, thereby enabling greater
data integrity for all manner of applications. JP Morgan's CEO Jamie Dimon
called Bitcoin "stupid," but his company got behind Blockchain in a big way
this year, announcing a Blockchain-based cross-border payment network; IBM
released a similar offering. And while you're pondering the ways to use
Blockchain for your own business, mind your Bitcoin, because
cryptocurrencies are already being targeted by DDoSes and mined by botnets,
and now the Lazarus Group is in on the act. (You may remember Lazarus Group
from its performances in Sony Breach and SWIFT Network Attacks).

14. Encryption is great ... except when it isn't.
People love Blockchain partly because of all the crypto packed inside like
chocolate chips in a cookie. Our trust in crypto can sometimes be shaken,
however, like during one very bad week in October when it was discovered
that secure WiFi sessions could be hijacked by the KRACK vulnerabilities in
WPA2. A factorization bug in Infineon's TPM chipset had exposed millions of
crypto keys to an exploit that would allow attackers to generate a private
key from a public key,  and some suspicious individual was scanning up to
25,000 systems a day looking specifically for vulnerable private SSH keys.
That made Cloudflare's little ol' months-long leak of encryption keys,
cookies, passwords, and HTTPS from Cloudflare-hosted sites like Uber and
OKCupid seem almost quaint.

15. Firmware is your problem too.
Itty-bitty concerns like factorization bugs that could render your
encryption entirely useless start in the chipset. There were plenty of
other hardware and firmware hacks unleashed this year that should also get
the infosec pro's attention, even if they're more comfortable with
software. Like for example the Intel AMT flaw, or the Intel ME
vulnerabilities that would give attackers "God mode" even when it's turned
off (US-CERT sent an advisory about that one), or any of the
hardware/firmware hacks revealed at Black Hat conferences.

16. No, malware does not mean no problem.
Malware is nice, but it's more easily detectable than some other kinds of
attacks. The good old-fashioned con never goes out of style, because social
engineering works. Business email and account compromise attacks (BEC
attacks) are a good example - total losses to BECs have surged past the $5
billion mark, according to the FBI, and are five times more profitable than
ransomware, according to Cisco. And then there are "fileless" attacks. By
using malicious macros, manipulating legitimate Windows services for
nefarious activity, executing code in memory, using stolen credentials or
PowerShell or a variety of other sneaky methods, attackers are evading
anti-malware systems by simply not using malware at all.

17. Getting stabbed in the side is a bigger problem than getting stabbed in
the back.
We've known for years that attackers can break in through one poorly
secured endpoint and laterally move through your network until they access
the crown jewels from the inside. While attackers continue to get better at
lateral movement, most organizations haven't done anything to get better at
preventing it. With better-managed access controls and microsegmentation,
and the use of an automated lateral movement tool to help good guys (and
others) quickly find the most vulnerable pathways, organizations might
begin to help defend themselves against a variety of attacks, including
nightmares like an Active Directory botnet.

But it's not all bad
In summary: there's no substitute for good hygiene. True, 2017 wasn't
without it's horrors, but there were a few victories, too. The WireX
Android botnet was taken down, the Andromeda network of botnets (that
helped spread Petya, Cerber, and Neutrino) was finally taken down, and
although 2018 might be worse, the good news is that CISOs' salaries are
expected to go up again, to over $240,000. Raise your champagne glass to
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180111/f7cec22f/attachment.html>

More information about the BreachExchange mailing list