As 2013 draws to a close, it is only natural to take a moment to look back on the year that was, and evaluate it for both the ups and the downs. Was 2013 a good year or a bad one? Were there significant events that will help shape the course of 2014 and beyond, or was it wholly unremarkable and destined to fade into history? Wiser minds than mine will have to make that call, and it will likely vary from one reader to the next, but what we can do is take a look back at the past year to reminisce about the worst security threats of 2013.
The philosopher poet George Santayana offers us some words of wisdom that we should all take to heart.
“Those who cannot remember the past are condemned to repeat it.”
By reviewing the major security threats of 2013, perhaps we can learn a lesson or two, and avoid repeat performances in 2014. Let’s run them down and see what we can learn.
1. Human nature
First up is more a category of attack than any one specific event. Phishing attacks target everyone from your grandmother to your CEO, and unfortunately for big business, those big paychecks and stock options don’t always indicate a more savvy understanding of security. A report recently published in Network World indicates that two out of three security pros surveyed have had to deal with a security incident that was not publicly disclosed, and that the majority of those incidents trace back to a senior executive. These included falling victim to phishing attacks, permitting family members to access corporate resources, downloading malware, and surfing porn. I guess we know why things weren’t disclosed.
Cryptolocker was the big killer malware this year, with the novel approach of encrypting all of a victim’s files and then holding them at ransom. Pay up, and the victim would be given the private key to decrypt the files. Hold out, and all that data would be rendered useless. While malware has been and always will be a problem, ransomware highlights the need for both strong antivirus solutions, and backups of important data that are not accessible to regular users.
3. State sponsored hacking
There were lots of reports this year of hacking as an organized activity sponsored by national governments. Whether from Syria, China, North Korea, or the United States, it seems that there’s more to be worried about online than Nigerian princes and tenth graders with too much time on their hands. State sponsored hacking targeted more than just key pieces of infrastructure, with many commercial enterprises finding themselves targets as part of a larger plan to disrupt economies.
Anonymous, Luzsec, the Syrian Electronic Army and others all contributed to a rise in hacking to make a point, aka hactivism. Governments, businesses, and individuals all found themselves on the receiving in of digital bit-slaps as hactivists used the Internet to express their displeasure with actions, inactions, and public statements.
In the Information Age, where free and unfettered access to information is just a given for so many, it’s amazing how many countries still promote censorship of content. While I am all in favor of censoring things that exploit innocents, promote hatred and bigotry, or are clearly illegal, when a government starts to block what news and educational content is available, the line has been crossed and individual freedoms are now threatened. While it comes as no surprise that countries like Cuba and China are censoring what their citizens can access, I’d expect better from Pakistan and Australia, and yet, both are implicated in numerous efforts to censor the Internet.
With the prevalence of personal laptops, iPads, Android and Windows tablets, and smartphones flooding the market, it’s clear that 2013 has become the year of BYOD with users clamoring for access to company data from personal devices. Email is only the start, with messaging, corporate portals, and Line of Business (LOB) applications starting to make inroads into the BYOD space. Many security professionals found 2013 to be the year they moved from securing the device, to securing the data.
Have laptop, will travel. In an older time, Paladin was a character with a romantic background who ultimately helped people. In modern times, hackers for hire are a growing phenomenon that is starting to come to prominence. Hacking as a Service providers are just looking to hire out their talents – they don’t much care what the job is, as long as it pays.
8. PRISM, MUSCULAR, and the NSA
While we may never know the extent to which the United States’ own National Security Agency has gone to subvert individuals’ privacy in the name of national security, one thing everyone can agree on is that they have gone too far. Another thing most ISPs can agree upon is that the damage done to the trust their customers have had for them may be so bad as to be beyond recovery. Major players like Microsoft, Google, and Yahoo have not only gone to great lengths to be completely transparent to their customers; they are pouring millions of dollars into legal actions to fight the NSA and their actions, and are implementing encryption within their own networks to better protect their customers from the government’s prying eyes. What Edward Snowden did when he revealed the actions of the NSA may well be treason, but there’s a growing sentiment that he may be a hero to people everywhere for revealing what is really going on.
9. Social faux pas
Have a read of The 17 Facepalm Moments that Rocked Twitter and then consider the impact that inappropriate or unauthorized tweets and Facebook posts could have to your business. Embarrassment, loss of goodwill, alienation of customers… all of these could happen should your Twitter account be hacked, or that intern who is handling your Facebook page makes a post that he thinks is funny but your customers don’t. Make sure that you are using strong passwords that are frequently changed on all your social media accounts, and that no one has the authority to post something without someone else reviewing it.
10. (The lack of) Encryption
Any data that leaves the four walls of your business should be encrypted. That means laptops, memory sticks, portable hard drives, and backup tapes should all be encrypted without exception or fail. The number of incidents where customers’ and patients’ NPI was compromised due to lost or stolen hardware this year was huge, and everyone from colleges and banks to hospitals and federal agencies were involved. The costs to cover people against identify fraud from these incidents will likely total in the billions of dollars US, and in every single one of these incidents, simply encrypting the data could have avoided it all.
11. Website vulnerabilities
Hacking websites is still popular, and no wonder, considering what a successful hack can get. Someone compromised 250,000 accounts hacking Twitter earlier this year, while a hack of Virginia Tech’s website revealed NPI on over 110,000 job applicants. Even the University of Delaware fell victim, with 74K students, faculty, and staff finding their personal information was accessed by unauthorized attackers exploiting a vulnerability in the university’s website.
12. Website stupidities
It’s bad enough when your website has a vulnerability, but when someone simply does something stupid, it may be time to pull the cable. Cogent Healthcare blamed their vendor for the online exposure of 32,000 patients’ medical information, which was conveniently indexed by Google, but they should take heart. The Internal Revenue Service posted 100,000 citizens’ NPI online for a period of time, setting the bar low indeed.
13. (The lack of) DLP
Finally, the lack of data loss prevention can be a significant hole in your overall security posture. Just ask investigators at the New York Medicaid agency, where an employee emailed themselves the account NPI of over 17,000 Medicaid recipients. While DLP should have caught that, I’m amazed that their email system didn’t choke on what had to be a pretty large attachment!
Whether you would call your own personal 2013 a great year or a terrible one, a year to fill you with hope for next year or dread, there are 13 lessons to be learned from others over the course of this year. Review the list above, consider your own security, and work to make 2014 a good year for you and yours.