Data Security 2015 – Year in Review

Not everyone goes for the whole New Year’s Resolution thing, but in lieu of springing for a new gym membership, organizations worldwide might want to consider making a concerted effort in 2016 to improve their IT security practices.  The divide between what affects only data and what affects the physical world has been blurring in recent years, and upon reflection, as this year draws to a close, 2015 really carried on this trend to its peak so far.  Cyber attacks, data breaches, and other incidents struck many corners of the web across a wide range of industries.  I hate using old cliches, especially alarmist ones, but…sigh, ‘no one was safe’.  So it became a motley collection of figures making headlines for cybersecurity news: Ross Ulbricht, of Silk Road infamy, went to jail for life, Ashley Madison users got a big headache, VTech was lax with protecting children’s identities, and Bitcoin exchange wallets in China and Japan were raided by cyber thieves in the last two years, in amounts of $1.75 million and $450 million respectively, among others.

The year kicked off with the biggest health care breach to date, when Anthem was targeted supposedly by Chinese state-sponsored hackers.  Other targets, like Excellus and Premera, were struck in the following months.  Given the longer shelf life of health care data like Social Security numbers, medical records and financial information, the industry’s attractiveness to cyber thieves is unlikely to diminish in 2016; the Anthem breach should be a wake up call for providers and hospitals everywhere—the Target breach of the health care vertical.  Likewise, the attack against the U.S. Office of Personnel Management was a high profile emphasis on the substantial shortcomings of security practices at the federal level.  With personal data of millions of government employees, military personnel and government contractors exposed in this exfiltration, it was once again believed to have been the work of Chinese hackers targeting these people for intelligence purposes.  Compared to the OPM breach, the IRS Transcript Service attack, affecting 100,000 people, may have looked small, but still exposed a dangerous vulnerability in legitimate services like the IRS’ Get Transcript, whereby thieves could uncover thorough confidential information.

Our transportation services also became increasingly at risk, when white-hat hackers revealed exploits in over a million Chrysler vehicles, among others, that gave them remote control of the car.  If that weren’t dangerous enough, hackers disrupted the IT systems for LOT Polish Airways, which led to canceled flights and grounded passengers.  United Airlines was also targeted, with attackers obtaining passenger records.  The prospect of hackers taking control of a plane’s onboard systems is worrisome, although those are usually locked down.

Meanwhile, a common theme of 2015 was a strong government push for those in the tech industry, such as device manufacturers, to install backdoors in their phones and tablets for use by law enforcement and intelligence agencies.  Seemingly ignorant or apathetic to the fact that such entry points can be abused by any competent hacker, regardless of its intended purpose.  Juniper Networks proved a case in point of this, when its NSA backdoor was repurposed to decrypt VPN traffic, simply by changing a few bytes of code.  Whether or not the government learns from this will be for 2016 to decide.

In many of these incidents, social engineering played a crucial role in allowing the hackers to infiltrate an organization, latching on to a duped employee, then piggybacking on the formerly healthy host into the network for a variety of nefarious purposes.  Security awareness training has already begun in many organizations, and should continue to be implemented as preventative tools in 2016, alongside encryption and multifactor authentication, to name a couple.

Here’s hoping that becomes a widely adopted resolution, and 2016 is a safer year online than the last.

By: Jonathan Weicher