When it comes to IT security, the writing has been on the wall for some time. What lessons can be learned from 2015, as even more high profile organisations have fallen victim to cyber-attacks? And what lies in store for the year ahead?
December marks the end of another tumultuous year in the world of cybersecurity. With organisations like Anthem and the United States Office of Personnel Management having fallen victim to significant cyber-attacks, 2015 revealed a noticeable increase in the sophistication and severity of cybercrime. As companies look ahead to the coming year and the promise of new, exciting technologies and security solutions, they must also reflect upon the lessons 2015 has left behind.
With the increasing popularisation of BYOD, cloud computing and other disruptive technologies, enterprises have had their plates full in coping with expanding attack surfaces. The sometimes tedious logistics securing BYOD schemes and the challenges of securing cloud data proved to be formidable challenges for many companies. Aditya Girish, Territory Manager Middle East, Koenig Solutions, points out that the changing threat landscape has become such an issue that IT security is no longer solely an IT discussion.
“The transformation of security issues into a boardroom priority is one of four major trends we’ve seen develop over the last year,” says Girish. “The other three important trends to note are the increase in onion-layered security incidents, ransomware attacks, and insider threats,” Girish explains. Perhaps the most compelling of these four trends from a management perspective is the involvement of other C-level executives in the issues of cyber-security policy and solutions.
A greater volume and quality of data stored in private, hybrid and public clouds has motivated cyber-criminals’ spirit for innovation. “2015 has shown us that cybercriminals have become more creative in their approach,” says Andrew Lintell, Director of Sales, Identity Assurance, EMEA, HID Global, “both in how they gain access to networks and how they steal data. Everything from mobile phones to banking apps and enterprise data centres are vulnerable.” The increased variance of cyber-attacks is what prevents some enterprises from embracing policies like BYOD. However, while BYOD schemes offer another access point for creative cyber-criminals, they also reinforce the idea that an enterprise’s cybersecurity is in everyone’s hands.
Wolfgang Kandek, CTO, Qualys, agrees that the increase in attacks and the greater attention paid to IT security from the C-suite may be tied to the amount of data being stored digitally. “More data is being saved online than ever before,” says Kandek. “With cloud computing and Big Data becoming more common, many companies have placed the lion’s share of their vital information into digital form. This creates a juicier and more vulnerable target for cybercriminals.”
Looking back at the most significant cyber-attacks of 2015 reveals some interesting information on the developing trends of cyber criminality. Not all attacks are financially motivated, and the targets seem to vary as widely as the methods. Kandek points out, “On the non-commercial side, the US Government’s Office of Personnel Management had 21.5 million personnel records compromised. These records did not have commercial information involved, so the motive was not financial. However, it represents the biggest potential political cyber-attack that has been publicly disclosed.”
Of course, financial gains are a major motivation for cyber-attacks as well. As Kandek explains, “On the commercial front, there were a range of attacks that affected companies and individuals. Attacks on point of sale terminals were very popular with several new families of malware all targeting retail.”
One consistent trend of cybercrime this year is the move away from attacks starting from physical points of entry. As Girish explains, “Crimeware and miscellaneous error messages that led to the unintended download of malware made up 25.1 percent and 29.4 percent of all cyber-attacks of 2015 respectively.” This shows a significant contrast to what might be considered a dying breed of cyber-attacks that require more physical approaches. “POS intrusions and payment card skimmers accounted for 0.7 percent and 0.1 percent of attacks respectively.” This trend aligns with the advent of Big Data and a continued move of both commercial and consumer users to the cloud.
Company databases and networks are not the only areas that cybercriminals have targeted over the last year. “mobile attacks have also been on the rise,” says Simon Bryden, Consulting Systems Engineer, Fortinet. “We saw mobile variants of ransomware, and most notably the StageFright attack showed how malware could be carried in an innocuous MMS video message. “This was particularly harrowing, since applications such as Google Hangouts process these types of videos in the background. Essentially, this means the device could theoretically be infected without the user actually playing the video.”
Reflecting on the past year of cyber-attacks can be a powerful tool in planning for the future. Using what has been done, analysing the weak points in responses and protection, and studying the ingenuity of those who seek to cause harm with technology can create powerful new approaches in policy and prevention that can ultimately shift the balance in the fight for data security.
Bryden has analysed the cyber-threat landscape of 2015 and points out some very useful patterns. “It has been widely demonstrated that the real damage is done not at the time of the breach, but in the weeks or months which follow,” he says. “During this time, a cyber-attacker will move laterally in the victim network, seeking out and infecting critical systems, gaining administrator rights, and exfiltrating data. In the case of the Office of Personnel Management this year, attackers were inside the network for more than 200 days. If the attack can be detected early, the damage can be reduced or eliminated completely.”
Early detection is certainly one strong point an enterprise should strive for when crafting their approach to IT security for the upcoming year. Staying one step ahead of attackers, though difficult, is another goal that should be a part of every enterprise IT security policy.
Kandek sees an opportunity for greater security and less risk as the future develops, and suggests that companies break away from traditional IT security approaches. “They’re failing,” he says. “Instead, we should be looking at the future of IT and how we embed security into everything by default. For example, with users and companies alike using more cloud-based applications, the number of applications that have to be based on the internal network is reduced. As more apps and services are consumed from public cloud providers, the attack surface for those internal networks will shrink.”
In a world as fast-paced and constantly evolving as technology, ‘saying out with the old and in with the new’ is commonplace. In the case of saying farewell to 2015, it may be worth lingering an extra moment before waving goodbye.