Even if you didn’t follow the cyber security news this year, it was hard to miss the headline-making breaches at Sony and widespread vulnerabilities like Heartbleed.
As more news is released about the megahack of Sony Pictures Entertainment, it’s becoming clear this attack is different from the scale of attacks companies experienced just a few years back. The malware used to attack Sony didn’t steal data for profit; it was used as a cyberweapon to defame the company and disrupt its operations. But it was just the culmination of a year when 43% of companies experienced some kind of breach.
The year began inauspiciously with news that the Target breach over the Black Friday shopping period in 2013 was even more widespread than initially thought, impacting 70 million customer credit and debit card numbers. That breach helped decrease Target’s quarterly profit by 46% in Q4 2013. Months after the breach stopped, the company estimated its costs in Q2 2014 alone would reach $148 million. In March, the company’s CIO Beth Jacobs resigned, and her departure was followed just 2 months later by the resignation of CEO Gregg Steinhafel. If the security of company data was once relegated to the IT security team, no doubt it’s now top of mind for the CIO, CEO, and board of directors.
The challenge facing companies and organizations today is this: attackers are constantly attempting to breach your systems, and they only have to be successful once to compromise sensitive data. Meanwhile, your IT security team has to be successful every single day to prevent a damaging breach. The groups attacking your company are increasingly sophisticated and well-funded, and include nation-backed groups, criminal organizations, and terror groups. Perhaps the most dangerous are groups motivated by profiting from stolen data.
While hacking was once a hobbyist pursuit, it’s now big business. The market for stolen credit cards is estimated to be $680 million annually just in former Soviet counties alone and now features sophisticated wholesalers and online trading platforms. The emergence of cryptocurrencies like Bitcoin is facilitating these transactions, as attackers who steal card numbers are one element in a supply chain providing these cards to other organizations that make fraudulent purchases. This marketplace is rapidly evolving. There’s now commercially available software known as Voxis that automates the process of making fraudulent charges on thousands of stolen cards. The technology emulates human behavior, making charges that are more difficult to detect by banks. Taken together, it’s easier than ever before for a small team to successfully carry out and profit from cybercrime.
For years, nation states have waged quiet campaigns in cyberspace. The best-known example is the Stuxnet worm developed by the US and Israel and deployed in 2009 against nuclear facilities in Iran. Until recently, nation states were the only ones capable of launching sophisticated attacks leveraging multiple zero-day vulnerabilities. Increasingly, independent cybercrime groups are becoming as sophisticated as countries. It’s now believed there are 20 to 30 cybercrime organizations with nation-state level capabilities operating in former Soviet countries alone. And there’s a thriving black market for zero day vulnerabilities. While your credit card number may only be worth $10 on the black market, zero day vulnerabilities can fetch as much as $1 million.
As the machinery of the world’s criminal organizations focuses its energy on identifying and exploiting software vulnerabilities, more vulnerabilities were uncovered in 2014 than any year in history. By the time of this article, there have already been 7,473 new vulnerabilities discovered in 2014 and catalogued in the NIST CVE database. So many vulnerabilities are discovered each year that NIST plans to reformat its numbering system to accommodate the increased volume, moving from a 4-digit to a 5-digit unique identifier. These vulnerabilities impact every major platform, from Windows to Mac OS X, Android to iOS. Since you don’t know about these vulnerabilities until they’re made public, criminals exploit them to attack your company’s infrastructure without being detected.
Out of the new vulnerabilities publicly disclosed this year, 24% of them are rated at high severity. The biggest vulnerabilities of 2014 had a wide impact on the most commonly used operating systems and Internet infrastructure, and they are increasingly being given nicknames that are known outside security circles.
For a full look at the top vulnerabilities and breaches of 2014, check out the slideshare below.
The best-known vulnerability of the year transcended its official designation CVE-2014-0160 and became a household name. Heartbleed impacted OpenSSL, a critical piece of infrastructure used to secure 17.5% of all SSL-protected websites on the Internet including Yahoo!, Facebook, GitHub, Amazon Web Services, and Instagram. Even 24 hours after Heartbleed was publicized, 368 cloud providers were still vulnerable to the bug. Heartbleed was damaging not just because it was so widespread, but because it was also easy to exploit. And the exploit left little or no traces in the server logs of compromised systems. To date, the Canada Revenue Agency experienced the largest reported breach due to Heartbleed. Other attacks may not have been disclosed or even know by the target organizations.
Given the new threat environment, a flood of venture funding is backing startups developing new technologies to protect companies’ and individuals’ sensitive data. Technology alone is not enough. The Target breach provides a clear example that people and process are also key elements of a successful cyber defense. In the case of Target, their security solution correctly detected the breach in progress, but Target did not follow up on the alert. Robust governance and oversight is just as important as security technology.
As companies move their technology stack to the cloud, the security of corporate data stored in cloud services is a high priority. According to a recent Cloud Security Alliance survey, security of data in the cloud is now an executive-level and board-level concern at 61% of companies. If there’s an upside to the news this year of vulnerabilities and breaches, it’s that CIOs are becoming more involved in the day-to-day security operations of the company. With increased oversight from the executive team and board, IT is learning new skills in communicating the company’s threats and security posture to non-technical leaders across the company. There’s every reason to expect 2015 will have as many vulnerabilities and threats, but companies are also becoming better prepared to defend against these attacks.