7 Bugs, Breaches, & Compromises To Rock 2015 (So Far)
The year's started off with a bang; will we hear risk management pros whimper?
March 30, 2015
Just a few days into the year, news hit that financial investment firm Morgan Stanley had to fire a wealth advisor who accessed data about 10 percent of its client roster. While only 900 of these clients had their details posted publicly, the incident offered evidence of why insider threats are so important to consider when assessing IT risk. Read more.
A report out in February showed how a Chinese hacking group -- which researchers with iSIGHT Partners and Invincea call Codoso Team -- were able to take advantage of the combination of an Adobe Flash vulnerability alongside a bypass vulnerability in Microsoft's ASLR technology for Internet Explorer to turn Forbes.com's Thought of the Day widget into a malicious vector for drive-by download attacks. Read more.
Car-for-hire upstart Uber came under fire this month after the way it handled a fairly routine database breach that exposed personal details about its drivers. The breach exposed names and license plate numbers of 50,000 current and former drivers back in May 2014. The beef that privacy pundits have? Uber discovered the suspicious activity in September and took over five months to notify the affected individuals. Read more.
A little over a month after Anthem, the healthcare industry showed its security seams again with the announcement from Premera Blue Cross that an attack against it left 11 million customers potentially exposed. As researchers dug into the attack, they began making connections with Anthem and other smaller exposures, such as the ones against LifeWise and Advantage Dental to show the possibility of an industry-wide campaign. Read more.
The year started off with a breach bang, when Anthem dropped the bomb in early February that it had been victim to a deeply penetrating attack that compromised over 80 million records. As the facts have come out, it's been posited that this attack may well be part of a large-scale campaign to target healthcare organizations. Read more.
While data breaches and IP theft typically steals the headlines, the massive attack against GitHub late last week and over the weekend offers a good lesson in why reducing the risk of denial of service attacks should be on the radar of any security team. The software collaboration and open source code sharing service reported on Thursday experiencing the largest DDoS attack in its history and ongoing status updates showed it took days to completely mitigate the onslaught, which used a number of attack vectors, including "some sophisticated new techniques that use web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic." Read more.
We've only gotten through a single financial quarter and already 2015 is on pace to be a doozy of a breach year. With a pair of the biggest healthcare breaches on record, along with some eye-opening compromises and continued examples of zero-day exploits and DDoS attacks, the year to date shows that CISOs and risk officers still have a lot of work to do in order to mitigate IT risks to their organizations.
We've only gotten through a single financial quarter and already 2015 is on pace to be a doozy of a breach year. With a pair of the biggest healthcare breaches on record, along with some eye-opening compromises and continued examples of zero-day exploits and DDoS attacks, the year to date shows that CISOs and risk officers still have a lot of work to do in order to mitigate IT risks to their organizations.
Just a few days into the year, news hit that financial investment firm Morgan Stanley had to fire a wealth advisor who accessed data about 10 percent of its client roster. While only 900 of these clients had their details posted publicly, the incident offered evidence of why insider threats are so important to consider when assessing IT risk. Read more.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024