Connect with us

Hi, what are you looking for?


Management & Strategy

5 Security Lessons Learned in 2016

Ringing in a More Secure 2017

Ringing in a More Secure 2017

Time marches on, and so does the state of cyber security. In 2016 we’ve seen cybercriminals continue to innovate. But we’ve also seen defenders continue to advance in the way they detect and mitigate attacks. As the year comes to a close, let’s take a look at five examples that demonstrate this ongoing tug of war between adversaries and defenders. The lessons we’ve learned can help us ring in a safer new year.

1. Data is being monetized in multiple ways in the same attack. 

For many financially motivated cybercriminals, one of the most valuable commodities is data. However, cybercriminals can’t predict with certainty the type of data they’ll be able to access and exfiltrate. Once they have invested the time and resources to execute an attack, they want to maximize their returns. To do this, attackers are increasingly turning to blended threats, for example combining malware and ransomware, to create multiple revenue streams based on the type of data uncovered. One of the first examples was a banking Trojan called GameOver Zeus that could install CryptoLocker so that if the data uncovered couldn’t be used for fraud, the attackers could turn to extortion. A more recent example is the Pony credential-harvesting malware used in concert with the “RAA” ransomware. Other ransomware variants, such as “CryptXXX” and “Crysis,” reportedly also possess credential-stealing capabilities. Cyber hygiene practices like password and patch management along with secure, remote data backups can go a long way to thwarting these types of attacks.

2. Cybercriminals don’t act with impunity.

Capitalizing on weak attacker OPSEC, security researchers, law enforcement agencies and intelligence agencies are working together to detect, identify, observe, analyze and report on cybercriminals – ultimately leading to arrests. In September 2016, the FBI arrested two alleged members of a hacking group called “Crackas with Attitude” charged with hacking the personal Internet accounts of senior U.S. government officials as well as U.S. government systems. More recently, federal investigators in the U.S., U.K. and Europe collaborated to take down “Avalanche” – a distributed, cloud-hosting network comprised of up to 600 servers worldwide, that was rented by criminals to launch malware and phishing attacks. The agencies worked side by side with other organizations over the course of four years to understand the complex, global network, culminating in the arrest of five individuals and seizure of systems used for digital fraud.

3. Flash remains a popular vulnerability.

Advertisement. Scroll to continue reading.

Exploit kits, pre-packaged software that uses vulnerabilities in software applications to spread malware, are not new to the information security community. But they remain successful in part because they exploit a large number of vulnerabilities quickly – in some cases within days of being written up in the National Vulnerability Database. Adobe Flash is the most commonly exploited software by exploit kits, accounting for one third of the identified vulnerabilities exploited in the most popular exploit kits. Patches are available for these vulnerabilities and organizations should prioritize keeping their Adobe Flash software up to date. 

4. Incident response capabilities are advancing.

Although data breaches are becoming more common, our response capabilities are improving. Consider the recent example of Camelot, the company that operates the U.K.’s National Lottery. The firm became aware of suspicious activity on a small portion of accounts. While cyber criminals were not been able to access core systems and did not gain access to customers’ financial data, personal details in some customers’ accounts had been changed. Camelot quickly identified the unauthorized access; suspended the compromised accounts; contacted and is working closely with law enforcement on the investigation; and communicated clearly with customers to educate them on the potential breach and corrective action. This type of responsiveness, collaboration and communication demonstrates a level of maturity and sophistication in how organizations handle incidents when they occur. 

5. IoT devices – a new vulnerability. The Mirai malware has launched some of the largest distributed denial of service (DDoS) attacks measured to date. The malware exploits weak default passwords in IoT devices (cameras, DVRs, routers, or other internet-connected devices) to gain control of such devices and create botnets. The SSHowDowN Proxy attack is another recent example of IoT devices being used for malicious purposes. This attack exploits a 12-year-old vulnerability in OpenSSH to compromise devices (satellite antenna equipment, routers, hotspots, modems, and internet-connected Network Attached Storage devices) and route bad traffic. Device manufacturers and users can both take action to mitigate such attacks including changing passwords, patching known vulnerabilities and/or disabling SSH entirely.

As these observations from 2016 reveal, attacks are evol
ving and advancing but organizations are as well. It pays dividends to reflect on the past so we can see how far we’ve come and what we can learn to help make 2017 a happy new year for defenders.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.