A Look back on 2017, and looking forward to the cyberthreats of 2018
As we look back on 2017, there are several disturbing events that happened in the world of cybersecurity that hopefully will not happen again in 2018. We take this time to reflect on the past year and to look ahead to 2018 to share our thoughts with you as to what we see are the challenges that lie ahead in the world of cybersecurity.
How bad was 2017?
In the calendar year, the amount of personal and confidential data that was pilfered in 2017 was staggering.
Will things change in 2018?
While we would all like to think that things will get better in 2018, it’s not going to happen without some hard work, funding, and a dedication to improvement that many companies don’t yet understand or take seriously.
How do I get started on improving things within my own company?
To get started, here are some simple steps you can take to get started on better security, compliance, and towards aligning with industry best practices:
- Do a complete inventory
- Determine which systems are the most critical
- Decide whether to keep certain systems in house or to take advantage of secure, compliant cloud providers like WHOA.com to host your infrastructure and to help you with your compliance needs.
Data on 123M US households exposed in latest misconfigured AWS cloud storage case
Data on 123 million U.S. household has been found unsecured and open to the public in the latest and possibly biggest case to date of a company failing to secure data on an Amazon Web Services Inc. storage “bucket.”
Like those before, the discovery was made by UpGuard Inc. security researcher Chris Vickery, who wrote in a blog post today that the exposed cloud-based data repository comes from Alteryx Inc., a California-based analytics firm that specializes in gathering data for marketing purposes. The data included a staggering 248 different data fields for each household in the database revealing “billions of personally identifying details and data points about virtually every American household.”
To make matters worse, some of the data in the database came from other sources, including the U.S. Census Bureau and consumer credit reporting agency Experian Inc.
Although there is no direct evidence that the data was accessed by malicious third parties, Vickery does say that the data sat open to the public for months and that users should presume that it had been accessed. “Simply put, one dummy sign-up for an AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents,” Vickery wrote.
A spokesperson from Alteryx downplayed the leak. It told Forbes that “specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes.” It also said that the the information in the file poses no risk of identity theft to consumers.
Commenting on the news, Varun Badhwar, co-founder and chief executive officer of RedLock Inc., told SiliconANGLE the case highlights the fact that third-party vendor relationships are an increasing cybersecurity risk. “Data from three different organizations — Alteryx, Experian and the U.S. Census Bureau — was revealed,” Badhwar said. “More companies should demand security audits of their partners, suppliers, and service providers, and implement tools such as continuous cloud infrastructure monitoring to identify misconfigurations and irregularities before they expose consumer and enterprise data.”
Bitglass Inc. CEO Rich Campagna noted that this is one of the largest AWS misconfiguration leaks seen to date and the latest of several mass incidents in 2017. “Cloud app misconfigurations continue to pose a major threat to data security and clearly calls for all organizations to reevaluate their security posture and processes,” Campagna said. “Despite its scale, this data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest.”
Zohar Alon, co-founder and CEO of Dome9 Security Ltd., was even more explicit, saying that thee sorts of data leaks from simple misconfigurations are “outrageous – and frankly 100 percent avoidable.”
“In an age where organizations are running their entire infrastructure in the cloud, or developing business-critical applications in containers, we’re stuck discussing the implications of not changing the default settings on third-party software week after week,” Alon said. “While Alteryx is the latest victim to mistakenly expose its most sensitive information to the wider internet, it serves as another example of how any number of native and third-party tools could have prevented a very sticky situation.”
Discussing the possibility that the data may have been accessed, JASK’s Director of Security Research, Rod Soto told SiliconANGLE that “there’s a good chance data is the wrong hands” as “malicious actors are using many different tools to discover such buckets, or they are finding information in other sources such as github.com, or by performing other attacks that may get hints or direct clues of the use of AWS buckets.”
Soto advised that “every organization using S3 buckets needs to diligently address three main items in order to secure them: IAM Policies, Bucket Policies and Access Control Lists. The overall purpose of these items is to establish what can be seen publicly, who/what has access to it and what privileges are given to those access resources.”
The 5 Biggest Data Breaches of 2017
From Vault 7 to WannaCry to Equifax, we’ve seen seemingly countless security incidents in the last year that have left sensitive data exposed. Malicious hackers have found new ways to compromise classified systems and information, and naïve users continue to put organizations at risk. As we wrap up 2017, it’s important for companies reflect on the previous mistakes made across the industry, and adjust their processes to mitigate any potential threats in the new year.
Here’s a look back at the top 5 cybersecurity events that have unfolded over the previous 12 months.
In March of 2017, documents leaked out via Wikileaks that unveiled techniques the CIA had been collecting for use in cyber warfare. These documents outlined how the agency had capabilities to exploit automobiles, IoT devices, personal computers, smart phones, and more. The leak was attributed to an unknown insider, and it is believed that collection came out from contractors the agency hired. Many subsequent attacks seen throughout the rest of 2017 spawned from this leaked stockpile of vulnerabilities.
The Shadow Brokers is an underground group of hackers that appeared on the scene in August of 2016. Little is known about the origins of the group, but they are notorious for publishing several zero-day exploits. They are most notably the leak of the exploit EternalBlue. This leak led to the WannaCry Ransomware attacks and, later on in the year, the Petya attack. The group also started monthly subscription service that promised other NSA built hacking tools for the price of $64,000 a month.
In May of 2017, WannaCry was top of mind for security and IT professionals across the globe. Many organizations were affected by the notorious red screen stating that all files are had been encrypted. WannaCry is a ransomware cryptoworm that targeted Windows computers by using an exploit known as EternalBlue. This was an exploit in the SMB protocol that was released via the shadow brokers from the Vault 7 leak. WannaCry encrypted all user data on a system and then demanded payment, bitcoin, to decrypt the data as seen in the image above. Even scarier, WannaCry spread like wildfire. In one day it was reported to have infected more than 230,000 computers in more than 150 countries.
In May of 2017, Equifax suffered a massive breach in which 143 million Americans’ information was put at risk. This hit occurred from a vulnerability in Apache Struts, a java web application framework. The vulnerability is identified as CVE-2017-5638, and enables hackers to execute remote code on systems leveraging Apache Struts. The breach shows the importance of patching systems; however, patching is much easier said than done in big corporations. Nonetheless, Equifax has been widely criticized for the patching gap and for taking too long to report the incident, once discovered.
Late in the year, Yahoo announced more than a billion of its users’ accounts had been compromised in an August 2013 breach. According to sources, the 2013 breach investigation concluded that an unauthorized outside party stole data about users of the site such as usernames, passwords, and secret questions. This breach is regarded as the largest breach on record in terms of number of people affected. Yahoo has since taken the proper precautions to reset account passwords and we hope this record for size of breach isn’t broken in 2018.
“As part of the recently published research report from ESG and the information systems security association (ISSA) titled, The Life and Times of Cybersecurity Professionals, 343 infosec pros were asked to identify the cybersecurity actions their organizations have taken over the past few years. This list serves as a good foundation for what we can expect in 2018.
The top responses were as follows:
- 52% of organizations adopted some portion or all the NIST cybersecurity framework (CSF). If you haven’t been paying attention to this, you’ll be surprised to find out that the NIST CSF has become a standard risk management tool across many industries and has also evolved to produce baseline metrics for cyber insurance. The 1.1 draft was recently published, promising to bring even more clarity, a common language, and extensibility to the cyber supply chain. Finally, CSF will likely be adopted in tandem with the Committee of Sponsoring Organizations (COSO) risk management framework (part 2) which is more focused on business and enterprise risk. In aggregate, look for more risk management efforts in 2018, including my recent description of advanced prevention.
- 50% of organizations increased cybersecurity training for the security and IT staff. Okay, that’s the good news. The bad news is that 62% of cybersecurity professionals surveyed believe that the level of training they receive from their organization is still inadequate. Cybersecurity training will increase in 2018 but probably not as much as it should.
- 49% of organizations increased the level of cybersecurity training for non-technical employees.This may be a good investment but too many organizations go through the motions with cybersecurity training, viewing it as a checkbox exercise. Regrettably, this will continue with many organizations increasing their training budgets slightly but getting little, if any, ROI in the process. I see leading companies going the extra mile with user-centric penetration testing, like white hat phishing campaigns, using tools from KnowBe4, PhishMe, Wombat Security, and Webroot. I also see better communication like explaining why user actions were blocked rather than simply blocking them and presenting cryptic messages to employees. Continuing education is important so I hope CISOs and HR managers look to improve and not just increase user training in 2018.
- 48% of organizations increased their cybersecurity budgets. ESG will soon publish its IT spending intentions research for 2018 which includes highlights on cybersecurity budgeting. Spoiler alert: A majority of organizations will increase their cybersecurity budgets in 2018 across all industries. Even with this increase however, security teams will find it challenging to invest in all areas of cybersecurity. In 2018, CISOs will develop a portfolio management approach to investment, looking for ways to use machine learning technology, security operations automation/orchestration tools, managed services, and software-defined security options, to address requirements AND act as a countermeasure toward escalating costs.
- 48% prepared to adhere to one or several new regulatory requirements. In 2017, New York State pushed new regulations on financial services firms while many global companies started their GDPR preparation. With the May deadline approaching, GDPR will continue to be an area of intense investment in 2018, but I doubt whether this will be the end of the line. I expect a lot of scrutiny and perhaps some initial regulations on IoT device security in 2018. Oh, and one big data breach or service disruption could certainly change legislative attitudes overnight. As a US citizen, I hope Washington pays attention to lessons learned from things like Equifax and GDPR to start working on reasonable data privacy and cybersecurity regulations here on the home front.
What the ESG/ISSA data suggests is that the cybersecurity past is prologue. Let’s hope that CISOs do more than get more cash and go through the motions in 2018. Rather, I for one hope they assess needs, processes, and resources, and use increasing budgets for fundamental cybersecurity improvement.”
Download our Ebook,10 Key Advantages of the Cloud for more ways the cloud can impact your business.