Another year has drawn to a close and as we put away all the holiday decorations, get back on our diets and reluctantly re-enter the real world, it’s time to do some thinking and planning about how the threat landscape has evolved over the past twelve months and how our security strategy has to morph in order to stay ahead of the bad guys who want to steal our data and/or bring down our networks.
Looking back, we once again saw a number of major data breaches affecting millions of people, that are carried out against big corporations, government agencies, health insurance providers and even security companies and hackers. More than 22 million former and current employees of the U.S. federal government were victimized by multiple security breaches at the Office of Personnel Management (OPM). Over 300,000 taxpayers had their data compromised in an IRS breach. Health insurance companies Premera and Anthem were hacked. Experian crediting reporting agency experienced a data breach. Hacking Team, a company that sells hacking tools, was itself hacked.
Hyatt Hotels reported a breach in their payment processing systems on December 23 (as luck would have it, a little over a week after I stayed at one of their hotels). Not that they were alone; Hilton, Starwood, Mandarin Oriental and Trump hotels also have reported breaches. Harvard University, Ashley Madison (an online dating service), VTech (manufacturer of digital toys for children whose database contains kids’ names, genders, birthdates and mailing addresses), and a whole slew of healthcare companies were some of the many targets of attackers this year.
But we need to look way beyond just who was compromised in 2015, because the more important issue (at least in terms of protecting your own network and digital assets) is how they were compromised. What types of attacks were most prevalent; what were the most common threats?
One of the top trends that emerged was the extortion theme. From simple emails threatening a Distributed Denial of Service (DDoS attack) to take companies’ websites offline unless a payment was delivered (usually in bitcoins) to sophisticated ransomware that proactively encrypted the data on a computer and then held it hostage, demanding payment to release the decryption key, this idea of extorting money was a popular one this year. The success of The Armada Collective and similar groups using these tactics led others to copy their techniques.
Another trend to be on the lookout for is the compromise of networks through the Internet of Things. As more and more different IoT devices connect to networks, they introduce brand new vulnerabilities. Many run outdated operating systems or applications that don’t get regularly patched. The VTech breach is an example of an IoT attack targeting children’s toys, but there are more and more grown-up “toys” such as cameras, TVs, appliances, smart watches and other wearables, and so forth that their users may connect to company networks – not to mention the more common “things” such as smartphones, tablets, printers, scanners, et al that can serve as attack vectors.
Speaking of smartphones, these pocket-sized computers have been steadily growing in capability, to the point where some of the high-end phones have more memory, storage and processing power than some low-end laptops. Many smartphone users, however, don’t practice the same level of security on their phones that they do on their “real” computers. Mobile security was a huge issue for both corporations and individuals in 2015 and that’s likely to continue in the upcoming year(s).
We saw plenty of vulnerabilities in both of the top two mobile operating systems, iOS and Android. New and exciting technologies such as Apple’s Siri voice-command personal assistant app are moving us toward a futuristic vision of computers with which we can interact in much the same way we interact with other humans – but those technologies also introduce brand new security risks.
The good news is that mobile device vendors and mobile OS makers are beginning to recognize the problem and are starting to address it in their newer versions. With more and more people using their smartphones and tablets for everything – including bill payment, online shopping, online banking and other sensitive tasks, they had to.
Zero Day flaws kept on coming and 2015 saw many of the “usual suspects” such as Flash and Java cropping up over and over again. A continuing trend is the packaging of exploit code into exploit kits such as Angler, Fiesta and Nuclear, which are sold or distributed free among hackers, making it easy for someone with limited or no programming skills to launch attacks.
The good news is that the good guys are fighting back, with new security solutions and better implementations of old ones.
One security-related technology that virtually exploded onto the scene this past year is containerization. Containers have been around for quite a while, but have really come into their own with the increasing popularity of Docker, an open source containerization project that was first released in 2013 and is now supported by Microsoft, Amazon, IBM and other major cloud providers. This is not your father’s virtualization; containers provide for isolation of applications from one another while operating more efficiently than traditional virtual machines.
BYOD gained a stronger foothold in 2015, and that brought more security concerns, which in turn spurred the rise in enterprise mobility management (EMM) systems. That market grew considerably and the solutions are focusing more on security aspects of managing mobile devices, including password protection, multi-factor authentication, data encryption, remote wipe and other mechanisms for protecting both the devices and the data residing on them.
The latest smartphones offer fingerprint authentication and facial recognition, as does Windows 10 with its Windows Hello feature that can relieve users of the necessity of typing in usernames and passwords while still providing security. Multi-factor authentication of all kinds has become more commonplace this year not only in the enterprise but even filtering down to consumers. Cloud services allow customers to authenticate using their phones as a second factor, in place of smart cards or key fobs that always seem to have a propensity for getting left behind.
The security landscape has been a rapidly changing one in 2015 and that is likely to continue into the new year. It has become such a vast and diverse topic that it’s impossible to cover more than a few of the biggest trends within the confines of a blog post. One thing is certain: 2016 will bring us new security challenges as well as new ways of dealing with them.