Last year was fraught with data leaks and security breaches of all kinds. From coding vulnerabilities such as Heartbleed, to leaks in Apple’s iCloud, to a full on attack on Sony Pictures, CSOs in the top companies in the world probably did not get much sleep this year. As we move forward into the new year, security experts are hoping that we have learned from the past.
The last 12 months has seen some of history’s most disastrous data breaches and cyber-attacks, and unfortunately, the hits just keep on coming. “Last year was indeed the year of data breaches and even now, towards the end of 2014, new cases are being reported,” says Nicolai Solling, Director of Technology Services, Help AG. Some voices in the industry say that an estimated three billion credentials were leaked, he says, an extremely large number given that the total Internet population is about the same.
The intent of cyber-criminals is often monetary, however, we are now seeing attacks from opportunistic criminals that simply want to embarrass or prove their worth as a hacker. Also, attacks against government entities have become more common, as political hackers use cyber-espionage tactics to draw attention to their causes or to damage the assets of their opposition.
Indeed, the attacks on businesses and code in the past year has cause a great deal of damage to the bottom line of a number of industries, and even governments. “Last year Kaspersky Lab released reports on some of the world’s most sophisticated advanced persistent threats and cyber-espionage campaigns such as Careto-Mask, Epic Turla, Cosmic Duke, Svpeng and Crouching Yeti to name a few. Leaks of data – both from home users and organisation – have very damaging results,” Ghareeb Saad, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab Middle East.
Not only have these attacks cost businesses money, but perhaps more threatening has been the damage taken to their reputations. “The cyber-attack on Sony Pictures Entertainment crippled the company and published damaging confidential information that embarrassed top executives. Additionally, in one of the largest ever coordinated cyber-attacks in Norway, some 300 oil and energy companies were targeted by hackers,” says Florian Malecki, EMEA Products and Solutions Director, Dell.
When looking at the threats of the last year, it seems that they are by and large opportunistic. As we create more data and use new technology, it stands to follow that hackers will try to profit from that collateral. “If you look back at the security trends from 2008 until today, you will see DDoS threats are rising,” explains Glen Ogden, Regional Sales Director, Middle East, A10 Networks, “There is nothing to suggest that these attacks will slow down. As cloud unfolds, some of the bigger targets such as Amazon, Azure etc. that have huge pipes, we can expect to see an increase in volumetric based DDoS attacks.”
Chief among new, disruptive technologies that have cyber-criminals primed for attack is the cloud. “It is no secret that cloud services are more vulnerable in terms of security than classical on premise environments. It is the main reason why corporate segments still prefer keeping their data on premise or in a private cloud, rather than public,” says Vsevolod Ivanov, Deputy CEO, InfoWatch. When utilising cloud services, he says, it is critical that businesses differentiate what is appropriate data to keep on a private cloud, and what information needs to be kept on premise. When utilising cloud services, as well, security should be the top priority.
Not all breaches can be blamed solely on poor security, however. For example, last year’s Heartbleed bug was simply an error in some very outdated code. Bugs such as Heartbleed are all but unavoidable. “The Heartbleed security bug brought attention back to the need for comprehensive security which includes specific areas as identity and access management and federation. Continuous authentication is a useful technology to employ to defend against code bugs,” says Shirief Nosseir, Security Solutions Regional Manager for Eastern Europe, Middle East and Africa, CA Technologies.
Hisham Surakhi, General Manager, Gemalto Middle East, agrees that when it comes to buggy code, a good offence is the best defence and without such precautions, a simple glitch in coding can turn into a fiasco. “Due to the popular habit of login reuse across applications and the blurring of business and consumer user personas, the risk could spread beyond compromised services to sites using these same logins,” he says.
Kalle Bjorn, Director, Systems Engineering, Middle East, Fortinet points out that outdated code should not be dismissed. “Not all breaches occur due to zero-days. Several attacks this year have exploited older vulnerabilities. It is critical to implement an advanced threat prevention system, but it is just as critical to ensure you are also protected from the attacks that are already known.”
Still, there are methods to protecting data from faulty code. “To reduce your company’s risk when it comes to vulnerabilities such as Heartbleed,” says Surakhi, “businesses should consider using a single sign on solution to help manage all employees’ online activities when accessing the corporate network.”
Malecki agrees last year surely highlighted the fact that security should be a priority for companies, “Last year’s attacks definitely reaffirmed what we have been saying all along that better security equates to better business for companies. These attacks demonstrate the importance for companies to take consorted steps to stay protected and safeguard themselves against threats of all sizes.”
Indeed, as businesses realise that cyber-attacks can hurt their budgets in more way than one, they will need to shift their security plans to face the problem head on. However, many industries are just taking the first step in what may be a long journey. “I think the biggest lesson is that we still have a long way to go,” says Chester Wisniewki, Senior Security Consultant, Sophos, “Too many companies are still using outdated code, insecure password storage practices, improper network filtering and segmentation, underusing encryption and not following secure remote access practices.”
Businesses and individuals alike need to realise that the fight against cyber-crime is not one that will ever end and that the winner will be determined by who is most prepared. “Attacks will not stop,” says Cherif Sleiman, General Manager, Middle East, Infoblox, “That is just a fact of life in today’s environment. It is what we as organisations and individuals do about it that will determine its impact. In the same way we don’t build networks without proper firewalls and other application based security, we should be building networks without proper DNS security. From that perspective, that should be able to combat a lot of next generation malware, moving the fight elsewhere.”
The biggest take-away from the year of the data breach is that it is no longer power-users and businesses that are at risk. Pradeesh VS, General Manager, ESET Middle East agrees that every end user needs to protect themselves and their data, from the largest enterprise, to an everyday smartphone user. “We have clearly learned that no one is immune against cyber-attack,” he says, “it is a matter of who is a step ahead – you or the hacker.”