There’s plenty that businesses can do to mitigate these risks. You can, of course, invest in an endpoint security solution but it’s also important to follow data security best practices and make use of available security frameworks and resources.
Nonetheless, 2016 saw LinkedIn, Yahoo, the Democratic National Committee (DNC), and the Internal Revenue Service (IRS) thrust into the spotlight in the wake of cataclysmic attacks and breaches. We spoke to Morey Haber, Vice President of Technology at vulnerability and identity management provider at BeyondTrust about what the company considers the five worst hacks of the year—and the critical lessons businesses can learn from each.
The fallen internet giant had a historically bad security year to complement its sagging financials, snatching defeat from the clutches of victory after a string of high-profile breach disclosures and customer data leaks left Verizon scrambling to find a way out of its $4.8 billion acquisition. Haber said Yahoo breaches can teach businesses three valuable lessons:
“It’s the first time a major corporation, up for sale, was double-dipped for a breach in one year and holds the title for the largest breach ever for a single company,” said Haber. “What makes this even more compelling as the worst breach of 2016 is the breach occurred three years prior. to public disclosure and the second breach was only discovered due to the forensics of the first breach. Over one billion accounts in total were compromised, representing to all companies on how not to manage security best practices within your business.”
In the most infamous security breaches of election season, the Democratic National Committee (DNC) was hacked on more than one occasion, resulting in emails from officials (including DNC chair Debbie Wasserman Schultz and Clinton campaign manager John Podesta) leaking through WikiLeaks. In hacks that US officials have traced back to the Russian government, Haber pointed to guidelines and recommendations from the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) that could have mitigated the DNC’s security vulnerabilities:
“The FBI and DHS has released a document. outlining how two Advanced Persistent Threats [APT 28 and APT 29] used spear phishing and malware to infiltrate the US political system and provide covert operations to tamper with the US election process,” said Haber. “The blame is squarely aimed at a nation-state attack, and recommends steps all government and political agencies should take to stop this type of intrusion. The problem is, these recommendations are nothing new, and form the basis for security guidelines already established from NIST.”
2016 was the year that we finally witnessed the magnitude of cyberattack of which a global botnet is capable. Millions of insecure Internet of Things (IoT) devices were swept into the Mirai botnet and used to massively overload domain name system (DNS) provider Dyn with a DDoS attack. The attack knocked out Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and a ton of other major websites. Haber pointed to four straightforward loT security lessons that businesses can take from the incident:
“The Internet of Things has taken over our home and corporate networks, literally,” said Haber. “With the public release of the Mirai malware source code, attackers created a botnet that [leverages] default passwords and unpatched vulnerabilities to create a sophisticated worldwide botnet that can cause massive DDoS attacks. It was used successfully multiple times in 2016 to disrupt the internet in the US via DDoS against the DNS services provided by Dyn to telecoms in France and banks in Russia.”
Changing your passwords frequently is always a smart idea and that goes for your business and personal accounts. LinkedIn was the victim of a major hack in 2012 that leaked publicly late last year, as well as a more recent hack of its online learning website Lynda.com that affected 55,000 users. For the IT managers setting business security and password policies, Haber said the LinkedIn hack comes down largely to common sense:
“An attack over four years ago was publicly leaked in early 2016,” said Haber. “Users that had not changed their passwords since then found their usernames, email addresses, and passwords publicly available on the dark web. Easy pickings for a hacker.”
Lastly, Haber said we can’t forget about the IRS hacks. These happened twice, in 2015 and again in early 2016, and affected critical data including tax returns and social security numbers.
“The attack vector was against the ‘Get Transcript’ service, used for everything from college loans to sharing your tax returns with authorized third parties. Due to the simplicity of the system, a social security number could be used to retrieve information and then create fake tax returns, amounting in a refund and [funds being forwarded] electronically to a rogue bank account,” explained Haber. “This is noteworthy because the system, like Yahoo, was breached twice, fixed, but still had severe flaws that allowed it to be breached again. In addition, the scope of the breach was grossly underestimated, from early accounts of 100,000 users to over 700,000 in the end. It is unknown if this will surface again for 2016 returns.”
Haber pointed to two core lessons that businesses can learn from the IRS hacks:
“For 2017, I think we will expect more of the same. Nation-states, IoT devices, and high-profile companies will be the focus of breach reporting,” said Haber. “I believe there will be an uptick of coverage on privacy laws governing IoT devices and the sharing of information contained within them. This will cover everything from devices like Amazon Echo to information flowing from EMEA [toward] the USA and Asia-Pacific within companies.”
Cybersecurity doesn’t seem important until you’re attacked. Without proper preparation, you will likely end up spending more resources on recovery than you would have on prevention.
While financial losses from cybercrime don’t usually come in the form of hackers draining bank accounts, your company could find itself on the wrong end of some scams. For example, bank and credit accounts could be held up. If someone has access to company card information, fraudulent charges may appear and you may falsely suspect embezzlement, creating confusion within your organization. Additionally, should news of this reach your customers, it could hurt sales, multiplying the damage done by the attack. Find out more here.