Attacks/Breaches

12/29/2017
08:00 AM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv

17 Things We Should Have Learned in 2017 But Probably Didn't

The worm has returned and the Yahoos have all been exposed, but did 2017 teach us any genuinely new lessons we shouldn't already have known?



(Image: studiostoks, via Shutterstock)
(Image: studiostoks, via Shutterstock)

Before you make your cybersecurity resolutions for 2018, curl up with some egg nog, sit by a fire, nestle yourself in the comforting sounds of loved ones' voices in the next room, and spend some time reflecting on all the cybersecurity resolutions you failed to fulfill in 2017, 2016, and 2015. 

Chances are, you make similar resolutions every January 1st. Each year the infosec headlines flood us with new cautionary tales, some trying to teach us the same old lessons. Here are 17 things we should have learned from the horrors of 2017...but probably didn't: 

1. You need to know what data you have, and where it is.
It seems like a reasonable request. Keep track of the valuable assets people give you, whether that be cash, a lawnmower, or personally identifiable information. Nevertheless, it took Yahoo three years to discover that they'd experienced a data breach of 1 billion accounts in August 2013, and another 10 months to realize that (slight miscalculation) three times as many accounts, in fact every single Yahoo user, were exposed in that incident.  

Credit bureau Equifax also had some trouble discerning the scope of its breach - an incident that not only exposed nearly every American adult to the threat of identity theft, but inspired new calls for stricter regulations on data aggregators. Bolstering that argument: marketing firm Alteryx's subsequent leak of extremely rich data on 123 million American households, including 248 data fields covering everything from how much they refinanced their home for to whether they prefer dogs or cats.

Breaches like this are what the EU's General Data Protection Regulation was created for, and with GDPR enforcement actions due to arrive in May 2018, lesson number 1 is something you ought to get hip to right quick. (Bonus tip: don't set your AWS cloud storage bucket access permissions to "let any AWS user download my database" like Alteryx did.)  

2. How we respond to incidents is just as important as how we prevent them.
Equifax was going to lose some friends when they exposed names, Social Security Numbers, birth dates, and addresses on 145.5 million Americans and 12.5 million Brits. They exacerbated the problem by waiting 40 days to report the incident after discovering it. They made it worse by having a website with poor functionality and conflicting information. Then, Equifax offered victims complimentary credit monitoring - provided, ironically, by Equifax - but only if the victim first provided their credit card number and waived any rights to take legal action against the company. (They later removed this clause, after public pressure). It was hard to imagine how they could have bungled it worse. 

Until Uber's news broke. Not only did the company choose to keep their data breach (of 57 million drivers' and passengers' data) to themselves for a full year, they paid attackers $100,000 to keep the secret to themselves too (and delete the data, which reportedly appeared on the black market anyway). The behavior was ethically questionable, and the lawsuits quickly started to pile up on Uber; the city of Chicago and Cook County asked for $10,000 per day for every violation of a user's privacy. 

3. Social Security Numbers should not be used for anything but Social Security.
Apparently this is something that still needs to be said. One of the greatest concerns of the Equifax breach was the release of so many Social Security numbers, which would not be a concern if SSNs weren't trusted so implicitly so widely, and if they could be reset, reissued, or verified by the Social Security Administration. For some reason, we continue to treat an unchangeable, easily guessable, unverifiable set of nine numerals with the same reverence we treat fingerprints.

4. Radio frequency communications need to be secured.
Interception of radio communications only became an issue about, oh, 100 years ago or so. Maybe we just need to give the manufacturers of radiation monitoring systemspacemakers, and other IoT devices another 100 years to start using encryption (and strong encryption) on their RF protocols. Non-WiFi communications in general need more security love in the IoT world, as the Blueborne vulnerabilities in Bluetooth also attest. On the plus side, security companies are beginning to address these issues, with tools like Rapid7's RFTransceiver extension for scanning wireless devices outside of 802.11. 

5. ICS/SCADA needs special security treatment
The year began with the discovery that the 2016 electric grid outage in Ukraine was caused by the first malware designed solely for electric grids (called CrashOverride by some, Industroyer by others). By the end of the year, the TRITON malware was disrupting ICS operations even while failing to achieve its true aims. In between, the DragonFly (aka Energetic Bear) APT group was looming over the US power grid, a PLC hack jumped the air gap, and more.

Honeywell survey found that about two-thirds of companies in the industrial sector don't monitor for suspicious traffic and nearly half don't have a cybersecurity leader. But don't sneer at them. Most of the cybersecurity tools currently available are too invasive to be borne in highly heterogenous ICS environments that have little to no tolerance for downtime. 

6. You need to deploy patches faster ... no, really.
Equifax was compromised first in May, via the critical Apache Struts vulnerability disclosed in March. When news broke, attackers were already attempting to exploit the vuln and researchers urged anyone using Struts2 to upgrade their Web apps to a secure version. Clearly Equifax did not move fast enough.

In fairness, patching is hard, and March to May isn't that much time for an enterprise Equifax's size to complete the process. Organizations nevertheless must inject some jet fuel into their patch management processes because the vendors sometimes take their sweet time issuing fixes. Microsoft, for example, didn't patch a Windows SMB bug until a month after an exploit for it, EternalBlue, was publicly disclosed. The EternalBlue exploit, which enables malware to quickly spread through a network from just one infected host, was soon used in both the WannaCry attacks in May and the NotPetya attacks in June. Despite the terrifying (and highly publicized) nature of WannaCry and NotPetya, a scanner created by Imperva researchers found in July that one of every nine hosts (amounting to about 50,000 computers from what they'd scanned) was still vulnerable to this exploit.

7. The NSA might not be the best place to put your secret stuff.
That EternalBlue exploit used in NotPetya and WannaCry was first stolen from the National Security Agency and publicly leaked by the Shadow Brokers gang last year. Attackers used it, as well as other NSA creations like Adylkuzz, in a variety of campaigns in 2017. Plus, NSA software developer Nghia Hoang Pho pleaded guilty to illegally retaining national defense secrets and bringing them home, where they were subsequently stolen by Russian state-sponsored actors. Although there was no indication that Pho had malicious intentions, he is the third NSA insider in recent years to be responsible for the misappropriation of highly classified information. 

8. Cybersecurity failures are beginning to have significant market impacts ... sort of.
The incident at Yahoo - even before the full scope of it was discovered - led the company to shave $350 million off the price when they sold the company to Verizon for a paltry $4.48 billion (about a 7 percent discount). Equifax's stock price dropped massively in the immediate wake of its devastating and horribly mismanaged breach. By early October, though, it had secured a new deal doing identity verification for the IRS and the stock had nearly recovered. Three months later, the stock is even higher than it was in September.

Security researchers are investigating other ways to use market pressures to improve cybersecurity themselves. Meanwhile, organizations are getting smacked by regulatory fines and legal settlements, like Anthem Healthcare's record-setting $115 million to settle its 2015 data breach. 

9. Integrity of data (and the democratic process) can be disrupted by more than "hacking."
Depending upon your definitions of "cybersecurity" and "information security," you may or may not feel that fighting disinformation is part of your job description, unless there is some kind of hacking or malware involved. Remember, though, that "integrity" is the "I" in the sacred security C-I-A triad, even if confidentiality and availability get most of the attention. So it is worth studying how attackers spread disinformation campaigns, how disinformation have been used to disrupt elections in Ukraine and the US, how attackers use fake social media profiles for malicious purposes, how the FCC's Net Neutrality public comment process was marred by the influx of millions of comments made with stolen identities, and how social engineering in all its forms succeeds daily. 

10. You really should refresh your DDoS defense and preparation plan.
If you didn't immediately start reviewing your DDoS defense and response plans after Mirai hit last year, then perhaps news that DDoS attacks doubled this year, averaging eight attack attempts per day, will get you moving. Or attackers' renewed interest in DNS, like, when they seized control of a Brazilian bank's DNS infrastructure? Or the fact that WannaCry and NotPetya caused major disruptions to production and operations at companies like Honda and Merck? If not, it's time to start planning. And don't forget to take a look at your DNS, and figure out how to protect your cloud resources from ransomware.

11. You can't escape the effects of political and civil unrest.
Attackers have always capitalized on current events when writing phishing messages, but unrest can also impact disaster recovery plans, security software purchasing decisions, and the culture of the security team. One-third of the over 250 respondents to an informal Dark Reading survey say that the US political climate has already caused them to make infosec-related changes to their business continuity and disaster recovery plan; another 12% say they're considering making such changes. Federal government agencies are removing Kaspersky Lab security software for fear that the security company was influenced by the Russian government, (shortly after President Trump tweeted that he and Russian president Vladimir Putin had "discussed forming an impenetrable Cyber Security unit"). 

12. Infosec workforce diversity is something you should actually care about.
The most mercenary reason cited for increasing the diversity of the cybersecurity workforce is that there are many thousands of unfilled security jobs that need filling, and we're missing out by not appealing to more women and people of color. There are other, better reasons as well, like treating people with respect, getting the best out of your staff, and, maybe even better understanding an increasingly diverse group of threat actors. Infosec leaders need to take steps to build a path to greater diversity by revisiting hiring practices, making meetings more inclusive, and being willing to "have the uncomfortable conversations" that lead to greater understanding and better teamwork. 

13. Bitcoin is awesome, once you take away the part about currency. 
Gee, Bitcoin sure is great for paying ransomware operators and for debating just how much volatility a financial system can bear. But the best thing about it is the platform upon which it's built: Blockchain. The distributed ledger technology essentially allows for the creation of a list of records, each record cryptographically linked and secured, thereby enabling greater data integrity for all manner of applications. JP Morgan's CEO Jamie Dimon called Bitcoin "stupid," but his company got behind Blockchain in a big way this year, announcing a Blockchain-based cross-border payment network; IBM released a similar offering. And while you're pondering the ways to use Blockchain for your own business, mind your Bitcoin, because cryptocurrencies are already being targeted by DDoSes and mined by botnets, and now the Lazarus Group is in on the act. (You may remember Lazarus Group from its performances in Sony Breach and SWIFT Network Attacks).

14. Encryption is great ... except when it isn't.
People love Blockchain partly because of all the crypto packed inside like chocolate chips in a cookie. Our trust in crypto can sometimes be shaken, however, like during one very bad week in October when it was discovered that secure WiFi sessions could be hijacked by the KRACK vulnerabilities in WPA2. A factorization bug in Infineon's TPM chipset had exposed millions of crypto keys to an exploit that would allow attackers to generate a private key from a public key,  and some suspicious individual was scanning up to 25,000 systems a day looking specifically for vulnerable private SSH keys. That made Cloudflare's little ol' months-long leak of encryption keys, cookies, passwords, and HTTPS from Cloudflare-hosted sites like Uber and OKCupid seem almost quaint. 

15. Firmware is your problem too.
Itty-bitty concerns like factorization bugs that could render your encryption entirely useless start in the chipset. There were plenty of other hardware and firmware hacks unleashed this year that should also get the infosec pro's attention, even if they're more comfortable with software. Like for example the Intel AMT flaw, or the Intel ME vulnerabilities that would give attackers "God mode" even when it's turned off (US-CERT sent an advisory about that one), or any of the hardware/firmware hacks revealed at Black Hat conferences.

16. No, malware does not mean no problem.
Malware is nice, but it's more easily detectable than some other kinds of attacks. The good old-fashioned con never goes out of style, because social engineering works. Business email and account compromise attacks (BEC attacks) are a good example - total losses to BECs have surged past the $5 billion mark, according to the FBI, and are five times more profitable than ransomware, according to Cisco. And then there are "fileless" attacks. By using malicious macros, manipulating legitimate Windows services for nefarious activity, executing code in memory, using stolen credentials or PowerShell or a variety of other sneaky methods, attackers are evading anti-malware systems by simply not using malware at all.

17. Getting stabbed in the side is a bigger problem than getting stabbed in the back. 
We've known for years that attackers can break in through one poorly secured endpoint and laterally move through your network until they access the crown jewels from the inside. While attackers continue to get better at lateral movement, most organizations haven't done anything to get better at preventing it. With better-managed access controls and microsegmentation, and the use of an automated lateral movement tool to help good guys (and others) quickly find the most vulnerable pathways, organizations might begin to help defend themselves against a variety of attacks, including nightmares like an Active Directory botnet

But it's not all bad
In summary: there's no substitute for good hygiene. True, 2017 wasn't without it's horrors, but there were a few victories, too. The WireX Android botnet was taken down, the Andromeda network of botnets (that helped spread Petya, Cerber, and Neutrino) was finally taken down, and although 2018 might be worse, the good news is that CISOs' salaries are expected to go up again, to over $240,000. Raise your champagne glass to that.

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/3/2018 | 10:59:13 AM
Re: Excellent Post!
In 1996 I became an official Netware CNE - now an antique of course but even back then, we were taught the value of BACKUPS and RESTORE points.  Many of these 17 points are NOT NEW by any means.  Some directly threat information has to be new of course, but it amazes me that firms always "discover" something new when dealing with Ransomware or power outage.  (When Delta crashed last year, it was due to a lack of power backups in the data centers.  Oh I remember those huge HEAVY APC boxes.  This is basic stuff!!! )  And yet it is always disclosed as something new.

I still have a collection of 3.5 disks containing 1990 backup data from my old 486 system.  Having reliable backups (ransomware) is NOTHING NEW.  

 

"Those who do not learn history are doomed to repeat it"
sngs7dan
50%
50%
sngs7dan,
User Rank: Strategist
1/2/2018 | 10:33:44 AM
Which English?
You wrote in your first point: "... covering everything from how much they refinanced their home for to whether they prefer ..."

Really? is 'for to' in a programming language? Where was/is your editor?

On a more content related level- don't you get tired of having to say the same thing over and over? If they're not listening, why keep saying it the same way?

Until someone is personally affected by a breach, the big numbers are just numbers that do not require action on their part. When they realize they're wrong, it's already too late!

Personally, I've been breached so many times (OPM, Yahoo, Equifax, etc.), these actions feel like trying to close the barn door after the horses are stolen.

We need an alternative to using the Social Security Number and to de-escelate it from PII and regard it as the 'publicly available' information it already is. The U.S. needs to stop being the wild west cowboy and grow up into a recognition that corporations do not recognize 'individual responsibility'. Laws need to be revised accordingly.

In order to revise the laws, we need a massive turnover in Congress. In order to have a massive turnover in Congress, we need a new grass roots effort much more mainstream and more potent than the Tea Party has been for the Republicans.

Sorry, just finished my coffee. I'll wake up now.
enhayden1321
50%
50%
enhayden1321,
User Rank: Apprentice
1/2/2018 | 10:32:12 AM
Excellent Post!
Many thanks to Sarah for her excellent summary of the security issues experienced in 2017! Your review as well as your suggested priorities for 2018 are a worthwhile read for every Security Professional and executive.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-13106
PUBLISHED: 2018-08-15
Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13107
PUBLISHED: 2018-08-15
Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13108
PUBLISHED: 2018-08-15
DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13100
PUBLISHED: 2018-08-15
DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13101
PUBLISHED: 2018-08-15
Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.