Recent figures from Gemalto’s Breach Level Index for the first half of 2017 show a troubling trend and suggest that data breaches are increasingly pervasive and the volume of impacted records is rising in sync. A total of 918 data breaches resulted in the compromise of 1.9 billion data records worldwide in the first half of 2017, with the number of lost, stolen or compromised records up 164% from the second half of 2016. The US remains home to an overwhelming majority of data breaches.
It is safe to say that the data theft at the credit reporting agency Equifax stole the show in ‘standalone’ data breaches this year. The Equifax hack, truly a tale of woe for all its victims, along with the firm’s bungling of ‘picking up the pieces’ after discovering the incident, highlighted general concerns about data handling and privacy.
While not necessarily the largest in terms of records compromised, Equifax’s ‘mother of all breaches’ in 2017 was notable for the kind of information exposed. Indeed, data breaches may be a sad fact of digital life, but it’s not every day that information such as the social security numbers of one in every two Americans is stolen.
That is, unless we consider “the mother lode of all leaks”, in which data-analytics firm Deep Root Analytics accidentally leaked personal information on 198 million American voters halfway into this year, in what is believed to be the single biggest leak of voter records worldwide. A mere few days ago, it emerged that US citizens were ‘treated’ to another leak of sensitive information, this time impacting 123 million American households.
Meanwhile, Yahoo, which isn’t new to dropping bombshells, admitted in October that one of its two massive breaches – back in August 2013 – affected all three billion user accounts on the service, rather than the previously disclosed one billion accounts. The access credentials exposed can be used for large-scale automated attacks called ‘credential stuffing’, in which miscreants leverage names and passwords belonging to one account in order to invade the same user’s other account(s), notably in banks, given the well-known penchant of netizens for re-using their passwords for many accounts.
The importance of plugging security holes was also made clear this year, as many of the worst incidents would have been prevented, had the systems been patched and had proper security practices been followed. A number of vulnerabilities came under scrutiny this year, but none had as lasting an impact as those exploited by threat actors who co-opted the batch of tools developed by the NSA and stolen and leaked by Shadow Brokers.
Another fundamental vulnerability to grab headlines this year – although not for being widely exploited – concerned the WPA2 encryption protocol. ‘KRACK’ or Key Reinstallation AttaCK – which has since the disclosure in October been patched across all major platforms – enabled third parties to eavesdrop on network traffic as long as they were within range of the victim’s Wi-Fi. As a result, private conversations might have no longer been so private in some circumstances.
Various implementations of the Bluetooth standard grappled with their own potentially high-impact set of flaws that put the users of almost all operating systems at risk. In September it surfaced that pretty much any Bluetooth-enabled device that hadn‘t been recently patched could be taken over, even if not paired with the hacker’s device.
As more and more devices, primarily from the IoT arena, are being connected to the internet, the attack surface is expanding at an alarming rate. And so do holes in security: reported vulnerabilities in 2017 more than doubled over those reported in 2016.
Critical infrastructure in critical danger?
The critical infrastructure ecosystem has been revealed as an orchard abundant in low-hanging fruit, as fundamental weaknesses kept coming to light this year. The urgency of threats faced by key infrastructure was laid bare again just a few days into 2017, as researchers concluded that a power outage that had caused an hour-long blackout in parts of and outside the Ukrainian capital of Kiev on December 17, 2016, had been caused by a cyberattack.
ESET researchers later dived deep into samples of malware detected by ESET as Win32/Industroyer only to conclude that the malicious code had most probably been used in the December 2016 incursion. Courtesy of its highly customizable nature – along with its ability to persist in the system and to provide valuable information for fine-tuning the highly configurable payloads – the malware can be adapted for attacks against any environment, making it extremely dangerous.
The December 2016 attack was reminiscent of a similar, but much bigger cyberattack-induced power outage on 23 December 2015. That one left around half of the homes in the Ivano-Frankivsk region, populated by 1.4 million people, without electricity for several hours, in a first-of-its-kind attack that leveraged malware known as BlackEnergy.
ESET Senior Malware Researcher Robert Lipovský has voiced concern that Ukraine may serve as a blueprint for refining attacks on critical infrastructure that could be unleashed in other parts of the world. “The relatively low impact of December 2016’s blackout stands in great contrast to the technical level and sophistication of the suspected malware behind Industroyer,” he stated.
In October, the US government issued a rare public warning that “since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks”.
In a “watershed cyberattack” disclosed earlier this month, threat actors recently used malware called Triton to take out the safety system of an industrial plant in the Middle East, resulting in the halting of the facility’s operations. While this was the first report of a safety system compromise at a critical infrastructure facility, the incident brought back memories of Industroyer and Stuxnet.
Meanwhile, the health care sector remains ailing as far as its own cyber-defenses are concerned. It has for long been a juicy target, not least because it stores a variety of sensitive personal records that often need to be accessed quickly.
Just how much havoc can be wrought by a cyberattack at health care facilities, regardless of whether it is targeted or not, was best exemplified by the damage that WannaCryptor inflicted on the United Kingdom’s National Health Service (NHS). The assault is claimed to have hobbled one in three NHS organizations in England. As a result, 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked, and five hospitals had to divert ambulances elsewhere.
It was later announced that the NHS would receive a shot in the arm worth £20 million with an eye to boosting its immunity from similar incursions. In some ways, this represents a departure from the long-term trend in the industry, which in general has been incorporating more and more devices, each linked with confidential information and in many cases IoT functionality, while security and privacy have, as usual, remained an afterthought.
With 2017 now almost in the rear view mirror, the dictum that even the best security can be outflanked by the weakest link in the security chain still holds true for cyberspace. As has been repeated ad nauseam – and even though it may not necessarily be applicable in all incidents – the human factor is usually the soft underbelly. Which is actually where high-profile attacks and breaches help as, among other things, they highlight vulnerabilities in the ways in which our personal information is handled. More broadly, the current threatscape lays bare the perils of our reliance on assailable technology and is a reminder of just how vital cybersecurity is amid the convergence of our digital and physical worlds.
Before we close the books on 2017, we have many lessons to derive from the events of the past 12 months as an undoubtedly hectic 2018 beckons. As increasing proportions of our lives take place in the online realm – and often with scant awareness on our part at that – the urgency of protecting our digital lives is now greater than ever. For starters, we need to give ourselves the opportunity to stay ahead of miscreants, who are innovating with alacrity and stand ready to exploit any weakness. We would be remiss in thinking that ‘it can’t happen to me’. Instead, learning from mistakes made by others—before those same mistakes are exploited against us—goes a long way towards maintaining and improving our defenses. That way, we lessen the likelihood that cyber-insecurity becomes an ongoing and undiagnosed problem that may come back to bite us and erode the value of not only our digital life, but our physical being as well.
Author Tomáš Foltýn, ESET