Cybercrime and the New Normal
With an increase in high-profile cyberattacks and data breaches, it’s no surprise that cybersecurity is top of mind for the C-suite.
According to the digital security firm Gemalto, there were 918 global data breaches in the first half of 2017, a 13% increase over the 815 that occurred in the second half of 2016. Furthermore, identity theft accounted for more than 3 quarters of data breaches with a whopping increase of 49%. This rise is even more dramatic for the sheer number of data records impacted. Roughly 1.9 billion data records were lost or stolen during the first half of 2017, an increase of 164% over the previous 6 months. Clearly cybercrime is on the rise, and we can likely expect more high-profile breaches in 2018.
When customer data, financial records and intellectual property are exposed, an organization’s bottom line, brand and competitive edge suffer. So, let’s take a look at some of the recent attacks to better understand where security policies are failing and how businesses can harden their defenses.
In the Spotlight
Since the massive Equifax breach was disclosed in August, the company has been in the glare of public and political scrutiny not only for the hack itself, but also for the systems glitches and multiple workflow mistakes that surfaced in its wake. In this attack, cybercriminals obtained access to the SSNs, names, birthdates and addresses of 145.5 million Americans, and the cost to Equifax will likely be in the billions of dollars over the years to come. After discovering the breach, it took six weeks for the company to go public. Additionally, the Equifax site that was set up to address questions and offer free credit monitoring was full of vulnerabilities.
The congressional Financial Services Committee held hearings earlier this month, and the FTC has started their own investigations. And politicians are calling on agencies such as the Securities and Exchange Commission and the Consumer Financial Protection Bureau to begin inquiries as well. But as nearly half of the U.S. populations’ personal information is now at risk from this singular event—will this shake-up finally be the wake-up call that spurs enforceable security mandates from government and industry leaders alike? Time will tell.
"Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years," reports René Gielen, the vice president of Apache Struts.
This is interesting because Equifax confirmed that attackers entered its system in mid-May through an Apache Struts web application vulnerability. A security patch was available in March, which means that the company had over two months to take precautions. Unfortunately, this deficiency of installing software updates is a common and recurring theme with large-scale cyberattacks.
The “WannaCry” ransomware attack in May took advantage of leaked Windows vulnerabilities. And while Microsoft released a patch in March, many organizations were exposed because they had not applied it, and hundreds of thousands of targets were hit globally. Thus, in combination with seeking out-of-the-box security solutions to address new threats, it may be safe to say that organizations have the opportunity to “get back to basics” by placing an increased priority on IT and security fundamentals, such as deploying critical system software updates.
IoT Raises the Risk (and the Bar for Security Considerations)
The dramatic growth of IoT devices—especially within the healthcare, finance, retail and manufacturing segments—means more unmanaged endpoints than traditionally managed endpoints (e.g. PCs, tablets, smartphone) are accessing the network. And since these devices are often unseen and unknown to administrators, they make prime targets for hackers.
Case in point, the notorious October 2016 Mirai DDoS attack on Dyn, a company that controls much of the Internet’s DNS infrastructure, used IoT devices as points of entry. The botnet attack was designed to identify and infect vulnerable IoT devices that used default settings, allowing those devices to continue to function normally. The only indicator of abnormal behavior was occasional device sluggishness and the increased use of bandwidth. The end result? Marai brought down much of the U.S. Internet for a short time.
Unfortunately, few IoT device attacks can ever truly be prevented, primarily due to the sheer amount and variety of connected devices, which would more or less require a “device-by-device” security approach in order to achieve absolute prevention. And what we know from experience is that next-gen firewalls, anti-virus software and network access control (NAC) solutions simply can’t eliminate 100% of threats. Security and IT teams must adopt a comprehensive approach to their security policies that includes both offensive and defensive solutions and workflows, enabling the business to not only thwart off cyberattacks but also to quickly identify, respond to and remediate from breaches when they do occur. Prevention, visibility, discovery and real-time response must all be part of an integrated security strategy.
What Lies Ahead
As we look forward into 2018, it’s a given that cybercriminals will continue to develop more sophisticated ways to expose data. Additionally, as more organizations begin to realize the business benefits of connected devices, enterprise IoT device adoption is expected to increase as well. And this intersection of growing IoT applications and cybercrime will continue to spur innovation within the IoT security space. Vendors will continue to develop new and more effective ways to enable network and device visibility, device behavior profiling and automated control mechanisms, which can be used to quickly discover, control and remediate from breaches.
The fact of the matter is that consumers and enterprise organizations alike will demand better protection. So, we’re curious…how are you rethinking your security strategy?