This year has been historic for cyber breaches, both in the magnitude of attacks and in the number of people affected. With connectivity and automation steadily increasing, the likelihood of a breach – and the ease with which hackers can access vulnerable systems – is likely to continue to grow as well. This means the need for a mature cyber defense should be viewed as more than just a requirement, rather as a necessity, in order to maintain business functionality, not to mention the disastrous effects a breach could have on customer retention and reputation. Basic cybersecurity measures are no longer enough to prevent or respond to an intrusion, which is something we’ve witnessed as a result of cyberattacks this year.
Below are four historic 2016 breaches, with details on what happened and takeaway’s for 2017 on what you should do to prevent a similar attack from happening to your organization.
Yahoo reported two major breaches this year, first disclosing a hack on September 22, 2016 that actually occurred in 2014. Rumored “state-sponsored” actors were able to steal information from more than 500 million user accounts.
Then, on December 14, 2016, Yahoo announced it suffered an even larger breach. This attacked happened in August 2013 and affected more than one billion user accounts, doubling the number of victims from the initially reported incident in September 2016 and setting a new record for the largest breach ever.
In both attacks hackers were able to steal sensitive information, like answers to security questions and passwords, as well as personal information such as names, phone numbers, and dates of birth.
The exact hacker (or hackers) and the motivation behind the attacks has yet to be determined. What is confirmed is that the stolen information has been sold online to various buyers, meaning the personal information of billions of users is in the hands of those willing to pony up for the data. While an attack from a state sponsor is likely to be sophisticated and difficult to combat, there are still measures that can be taken in order to prevent a similar data breach from occurring at your company.
2017 Takeaway – Understand Vulnerabilities: Attackers scan for security gaps that serve as easy access points into your system and it is essential to spot them before they do. This can be achieved through vulnerability scanning, penetration testing, and risk assessment, which not only identify problem areas, but also prioritize what needs to be fixed first. Securing weak spots will help create a stronger overall defense, while also serving as a deterrent to cyber criminals who are only looking for an easy hack.
An enterprise risk assessment helps identify the key assets organizations possess, discovers vulnerabilities that cannot be detected via scanning, such as lack of policy and procedure and third party risks, understands the threat profile of an organization, and helps ensures that compliance regulations are met.
Vulnerability scanning and penetration testing are both essential when it comes to protecting sensitive data. Failure to do so puts valuable information in danger of being stolen, which could severely damage an organization’s reputation for years to come, or in the case of Yahoo!, affect the potential sale of the company.
On October 21, 2016, the Domain Name System (DNS) provider Dyn was the victim of multiple distributed-denial-of-services (DDoS) attacks which were unprecedented in size. It is estimated that the attack carried a load of 1.2 terabits per second, which would make it the largest DDoS attack ever. Numerous popular websites were knocked offline as a result, including Amazon, CNN, Netflix, The New York Times, PayPal, Reddit, Spotify, Twitter, and The Wall Street Journal.
It has been determined this was a botnet attack using a large number of Internet of Things-enabled (IoT) devices infected with Mirai malware. Although it has not been confirmed, Anonymous and New World Hackers – two hacktivist groups – have taken credit for the attack.
2017 Takeaway – Prepare for Business Continuity: While combating a DDoS attack of this size is virtually impossible, it doesn’t mean that proper measures shouldn’t be taken ahead of time in order to quickly react when something does go wrong. Having a business continuity plan in place prior to a breach is crucial to ensuring that your organization can get back up to speed without having to waste time developing a strategy first. Time is money and being reactive instead of proactive is a great way to leave dollars on the table.
Creating a business continuity plan helps preserve access to crucial information and assets, which lowers the cost of a cyber incident, sustains critical functions, and reduces first- and third-party losses. Here are four ways you can get started:
- Identify Critical Assets and Functions: It’s the first step to ensure sustainment of business critical operations and vital records during an incident.
- Routinely Test Your Plan: Exercise your team and your plan to ensure they’re effective and comprehensive. Can you restore from backups without significant technical barriers or operational challenges?
- Protect Customers: Encrypt sensitive data in transit and in storage to reduce the privacy risks from stolen or inaccessible data stores. This ensures that even if records are stolen from your organization, they are of little use to hackers.
- Prepare Corporate Stakeholders: Effective crisis management requires active communication across business functions. Time matters in cyber crisis management – don’t waste it building a plan during a cyber disaster.
3. MedStar Health
What Happened: The self-proclaimed largest healthcare provider in Maryland and Washington D.C. (with 10 hospitals, more than 250 outpatient centers, more than 30,000 employees, and treat hundreds of thousands of patients) had to disable its network in March 2016 after several of its systems were infected by an attack MedStar employees described as “Ransomware” seeking payment in bitcoins.
Since the attack caused MedStar to shut down its systems, employees were forced to turn some patients away, and treat those they did see without computer records containing vital information like medical histories that help minimize human error. The lack of comprehensive information caused cancellations, confusion, and delayed lab results.
There has not been a confirmed report whether MedStar paid the ransom (rumored to be 45 bitcoins, which was worth about $19,000 in late March) or who was responsible for the attack, but there are a number of steps the healthcare provider could have taken in advance to help minimize their risk of suffering a breach.
2017 Takeaway – Combat Insider Threat: The much-used statement that you’re only as strong as your weakest link deserves repeating. The ideal way to strengthen the weakest link is by creating a culture of security that instills a sense of skepticism at the user level. This can be achieved by simulating unprompted phishing attacks and other security awareness training designed to create a constantly vigilant mindset.
It is vital to create this type of environment because “insiders,” aka the employees at your organization, all play a crucial role in your cyber defense. However, developing an “aware” cybersecurity culture is easier said than done, especially when employees are asked to follow guidelines that don’t have an immediate effect on their welfare or safety. In order to overcome this obstacle, here are five ways to combat insider risk.
- Have a climate survey conducted by a third party industrial psychologist. This can clarify the actual culture of an organization.
- Messaging to the workforce – if in doubt, question. Build a culture of rewarding security posture and questioning suspect vectors.
- Tie organizational risk to real life employee risk in training. Don’t just say it’s bad for the company to lose money from IP theft via insider threat. Tie it all to the employee’s bottom line.
- Be consistent – what’s on paper needs to match what managers exude.
- Encourage questions. It could save you a lot of money. Employees who think they might be facing a security issue should feel reporting/questioning is a duty rather than a burden. Make this a value and you could very well save a lot of pain in the end.
4. Democratic National Committee
What Happened: On July 22, 2016, a collection of almost 20,000 emails from Democratic National Committee (DNC) staff members was posted to WikiLeaks, followed by more than 8,000 emails on November 6, 2016 after a hack. The emails contained information ranging from how the DNC interacted with the media, to personal details of donors, some of which contained credit card and Social Security numbers. The fallout from the email leak led to the resignation of several high ranking DNC employees.
While WikiLeaks has not revealed who their source for this information is, a hacker named “Guccifer 2.0” has taken credit for orchestrating the attack. The claims of this unidentified hacker have not been substantiated, but it’s widely accepted that the Russian government was responsible for the breach. The Department of Homeland Security released a statement saying that they believe the purpose of the “thefts and disclosures are intended to interfere with the U.S. election process.”
2017 Takeaway – Define Critical Assets: The DNC possessed information that was highly valuable and sought-after. All organizations, but especially those with sensitive data, need to take proper measures ahead of time in order to identify and define their assets, as well as protect them. Part of this process involves determining if everything is super sensitive and critical to your business, or if you can narrow down integral assets to processes, products, property, and the like. Once what is critical has been defined – this includes people – organizations can then prioritize the proper defense and mitigation mechanisms.
Included in defining and protecting assets ahead of time is reviewing:
- Network and security device configurations
- Identity and access management policies and implementations
- Vulnerability and patch management systems
- Operating system, database, and application monitoring programs
- Perimeter and endpoint defenses
All of these measures will help ensure that your data – like political strategies and personal identifiers – is secure as possible.
The historic cyberattacks of 2016 do not mean that defending ourselves is for naught and that we shouldn’t try to stop attacks from happening because they are inevitable. Rather, the opposite is the necessary approach moving forward. Increasing our efforts to ensure that all potential gaps and vulnerabilities are secure, that plans are already in place should a breach occur, that an aware and vigilant cybersecurity culture is instilled in our organizations, and that our critical assets are protected are all necessary pieces to a holistic approach to defense. This all-encompassing view is what is needed in today’s world of advanced and persistent threats.
An accompanying infographic to this post, created by TSC Advantage, can be seen on CSO’s site here.