Data breaches and cyber security lead daily global headlines as more and more businesses fall victim to these cyber “snipers.” Businesses and public institutions need to take greater care, whatever their size or nature of their business.
2014 won’t go down as a great year for Internet security. In fact, with international cyber-espionage, hacked celebrity iCloud accounts, millions of stolen credit card details and the “Sony Story” dominating headlines, it was one of the worst. Many corporations, especially technology firms, have put former hackers on their respective staffs to protect their cyber security perimeters. That was great for the early adopters but now that there are former “black hats” working for the likes of Google, Facebook and the Federal Government it presents a new generation of shrewd young hackers with a rosy looking career path to a 6-figure salary. As evidenced in 2014, there is plenty more hacking “talent” building compelling resumes out there. In this blog we look at the biggest threats to data security, hacker’s actions and motivations and what any organization should be doing about it.
2014: A Bad Year for Data Security
The final numbers aren’t counted yet, but 2014 has a chance to outclass 2013 as America’s worst-ever year for data security breaches. 2013 saw 2,164 reported incidents, including the four worst in history, exposing 822,000,000 records. Hacking rightfully dominates the headlines, it accounted for 59.8% of reported incidents last year and accounted for 70+ percent of exposed records. Around 25% of incidents were caused internally with a roughly even split between malicious and accidental activity. Here’s a quick rundown of the main internal threat profiles:
- Ethical employees who accidentally cause breaches;
- Malicious or disenfranchised employees who deliberately attack computer systems, steal data or take information hostage;
- C-Level staff (or SME owners) whose high profiles coupled with unnecessarily wide security clearance and lack of training can present attractive vulnerabilities for hackers;
- Action of rogue IT professionals and software developers – regardless of motivation – must be treated as malicious. Of course, incompetence can also be a threat here: poorly designed procedures or a lack of adherence to good ones have led to infamous leaks in recent years.
Internal breaches accounted for around 19% of exposed records in 2013. These included errant web posts, lax equipment disposal and poorly managed documents, media and devices. Accidental breaches have come down considerably in recent years, suggesting an increase in core “best practices,” employee training, stronger company policies and good governance. New challenges posed by mobile media and communication devices require specialist attention that smaller IT departments may struggle to handle. Managing the threat of malicious insiders is an interdepartmental responsibility where cooperation and vigilance are supported by technical safeguards.
For executive staff and IT workers, training programs, security policies and the rule of least privilege should be adhered to. There must be limits set on who can access the data center or become domain administrators. Administrative activity should be logged and off-boarded staff must lose their admin rights immediately – obvious, one might think.
Although internal threats are serious, the external threat is far greater and considerably more dynamic. It is only fifteen years since the “I Love You” virus brought global corporations to their knees: 45 million Windows PCs were thought to have been hit on May 4th and 5th, 2000. This simple virus arrived at a time when many people and organizations had no security software. Even those who did only updated the signatures of known viruses on a monthly basis and back-ups weren’t performed as regularly as they are now. In today’s world where anti-virus software, firewalls and back-ups are the norm, 90% of email is spam and, despite the galvanized defences, the threat is far greater than ever before.
The main external threats today:
An estimated 75% of data security breaches are financially motivated. In 2013, McAfee estimated that annual losses from the global economy were $300 billion with a third of that happening in the US. There is skill and sophistication to these operations. Genuine project management is required to pull together coding talent, digital marketing specialists, hosting resources, network infrastructure and laundering channels.
The battle against cyber-crime will never end, instead it will evolve at an ever quicker rate in ways we can only imagine. It is worth having a resource dedicated to containing this threat and for many organizations that means engaging external expertise. There are some basic priority areas though. As mentioned above, devices are an area of focus especially now BYOD, BYOA and the Internet of Things [IoT] are prevalent so a full mobile device management [MDM] program needs to be in place. Networks must be secured, access limited and strong security policies should be enforced; notable incidents across the last 2 years have been narrowed down to weak passwords and poor encryption.
Post 2014, we know only too well that global governments spy on each other, just ask German premier Angela Merkel about that. Meanwhile, the Sony affair with North Korea highlighted another security threat: state-sponsored attacks on corporations. Whether this was the root of Sony’s problems is questionable, as it appeared it was another extortion case at the outset, but this is a growing area of concern. State-sponsored espionage by China was identified as a key factor in Nortel’s downfall in 2012. China along with the US, UK, Russia and Israel are the current “Big 5” in this field, but other states – friendly and otherwise – will look to grow their initiatives in any area further supporting their national causes. As with other threats, cyber “terrorism” will become increasingly targeted. Massive budgets and political loopholes in international law make this kind of threat very difficult to defend against. Encryption is probably the most powerful defence companies have.
Corporate espionage is similar to the state-sponsored threat. The trending story here is that 30% of attacks are targeted on companies with fewer than 250 staff, as these opportunities are seen as a route to larger organizations. This is the reason that companies such as the one I work for have set up data security policies as exacting as those required for corporations in regulated industries.
Many of us have performed an innocent search within a large firm only to find information we knew we shouldn’t be seeing. The power and programmability of modern search engines means similar (legal) searches made externally can bear unexpected fruit. Loopholes like this should be tested for and secured. Corporate data should be audited and classified for sensitivity before being systematically sealed in dedicated areas of the network. A major 2014 breach at a top US bank went undetected for a month, seriously magnifying the damage caused. Firewalls must be continuously updated and intrusion detection systems put in place to monitor for penetration at the network, host, application and data levels.
Hackers and Activists
In the opening paragraph, I focused on “old school” hackers. They’re still out there, and these days they can be motivated politically, financially, ideologically or just be junior thrill-seekers operating from their bedrooms. In actuality, the threat posed is not as severe as an external threat, however, the quantity of data exposed is exponentially increasing, and so these threats must be taken seriously.
Threats for 2015
Prediction is always difficult but I think 2015 will herald in more credit card chaos, possibly to the extent the fundamental nature of user identification may foster evolutional change. iOS hacking is likely to increase as are attacks on the IoT and other areas where developers are more focused on functionality than security. Mobile payment systems and the development of ransomware that hold cloud accounts hostage will be more prevalent, and state-sponsored cybercrime will definitely develop as pariah states shelve their nuclear ambitions in favor of something more achievable.
On a more positive note, I foresee increased cooperation for internet security and small to medium sized firms prioritizing top-level expertise such as that offered by my company – among others – as we seek to bolster cyber security for our clients.