[BreachExchange] Major IT Security Lessons Learned From 2017

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 12 13:58:02 EST 2018


George Santayana famously observed that: “Those who cannot remember the
past are condemned to repeat it.”  In a year where data breaches escalated,
and cyber-criminals found yet more ways to infiltrate the enterprise
network, this quote came to mind. So, as 2017 came and went let’s look back
over the year and reflect and evaluate past events in cyber security, and
understand how they happened, so that we can hopefully prevent them from
happening again in 2018.

Data Breaches Continue To Happen

As I have already alluded to, data breaches increased in number and
severity over the past year. People may have become desensitised to the
news, but the number of personal records stolen or lost is staggering. In
2017 alone Uber, Amazon, the US Government, Equifax and Yahoo – to name
just a few – all experienced breaches, and there seemed to be another high
profile case every month. Investigating and remediating these incidents is
costly, with the latest estimates placing the cost of the Equifax breach at
$110million alone.

Additionally, we saw simple configuration mistakes leading to breaches in
Amazon Web Services. Financial publishing firm Dow Jones & Company and
military intelligence agency, INSCOM, for example, left their Amazon S3
buckets accessible and available to any AWS user.

Scrambling For GDPR

2017 saw businesses scrambling to gear up for the General Data Protection
Regulation (GDPR) which will come into force in May 2018. It will apply to
organisations that are based in or operate across the EU, or which have
operations, customers, suppliers or partners within the EU.

GDPR can fine organisations if they fail to adequately safeguard customer
data against a breach or fail to report it to the supervisory authority
within 72 hours. The fine can be up to €20m, or 4% of the firm’s annual
turnover – whichever is greater – which clearly gives regulators a very
large stick to use on companies that do not comply.

What is yet to be seen is how the European regulators decide to exercise
their legal powers. Come May 25th we might see investigations and fines
handed down to any company that loses personal records, and we could see
jurisdiction fights as European regulators try to fine businesses that are
based in the US. Equally, the threat of large penalties may not be
realised: it will be interesting to see how it all plays out.

IoT & The Bots

Throughout 2017, attacks on IoT systems were rife, and I believe they will
only increase in 2018. At the heart of many of these attacks were Botnets,
which were deployed to hundreds of thousands of IoT devices. In 2017 we saw
new variants of the Mirai botnet, including Reaper, and new botnets like
Satori, all of which specifically targeted IoT devices.

By increasingly allowing IoT devices onto their enterprise network,
enterprises are also offering an open back door for bot attacks.
Worryingly, recent estimates suggest that up to 75% of organisations
globally are infected by bots, and with IoT devices set to increase, we
certainly haven’t seen the worst of it yet.

Indeed, Gartner estimates that 8.4 billion devices were connected to the
internet in 2017, and a further 2.8billion will be connected in 2018. These
new IoT devices usually have little to no security controls built in, so
every additional internet controlled thermostat, door lock, vending
machine, air conditioning unit that goes online is another attack vector
available to attackers.

To prevent bots working their way onto your enterprise networks, make sure
to use up-to-date anti-malware and implement layered defenses to limit
their lateral movement if they do manage to infiltrate the network.
Additionally, next-generation firewalls can monitor network traffic and
look for suspicious activity, block suspicious traffic and cut off from
their command and control centers. Intelligent network segmentation,
separating IoT devices from the rest of the network, will also help to
mitigate risk.

Ransomware Is Here To Stay

2017 was also the first year that businesses globally felt the full force
of major ransomware attacks. WannaCry impacted businesses and public
services across the globe, Cerber convinced many victims to pay up to
unlock their encrypted files and NotPetya, claimed many victims including
US based pharmaceutical giant Merck, causing at least $300 million of

Threatened by the loss of potentially sensitive files that may not be
backed up, some businesses have been paying the criminals’ ransom demands.
But of course, paying the attackers not only funds criminal activity, it
fuels further attacks. So, ransomware is far from behind us.

As with bots, there are numerous security best practices that can prevent,
or at least greatly reduce, the impact of the next ransomware attack,
including segmenting the network, regular data backups, patching, and
security awareness training for employees.

The reality is that data breaches, botnets, ransomware and human errors
won’t be going away anytime soon, and organisation must remain vigilant.
But by looking back at the events of 2017, IT teams can take steps to
reduce the chances of falling foul of these attacks moving forward. After
all, learning from history can help stop events from repeating again in the
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180112/c570a9c4/attachment.html>

More information about the BreachExchange mailing list