Data breaches, dangerous vulnerabilities and more dominated the headlines this year in cybersecurity.
Taking a look back, the year produced a number of juicy stories for those keeping an eye on the threat landscape. Here’s a few of the security stories and topics that dominated headlines and discussions during the year. In no particular order:
1) Point-of-sale (PoS) security: The security of PoS systems was spotlighted after a spate of data breaches prompted the U.S. Secret Service and US-CERT to issue warnings about the now-notorious Backoff malware. The Secret Service linked the malware to the compromise of more than 1,000 businesses in the United States. As the year went on, hackers would use various malware not only to target retailers, but in some cases the PoS vendors themselves. The emphasis on these systems caused security experts to talk more about securing these devices.
2) Heartbleed Vulnerability: The Heartbleed vulnerability was disclosed in April, and resided in vulnerable versions of the OpenSSL cryptographic library. The vulnerability is a buffer over-read that results from improper input validation in the implementation of the TLS heartbeat extension. After news of the issue spread, the vulnerability was linked to attacks against various organizations, including the Canada Revenue Agency and Community Health Systems. Part of this was likely due to the multiple steps involved in actually closing the security hole, which involved not only patching the vulnerability but also revoking and reissuing any potentially compromised SSL/TLS certificates.
3) Shellshock: Shellshock was the name given to a family of security bugs affected the Unix Bash shell. Many Internet-facing services use Bash to process certain requests, which in turn meant that an attacker could execute arbitrary commands and gain unauthorized access to a system. The first of these bugs (CVE-2014-6271) was disclosed in September, and causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables. Within days of this issue becoming public, a host of related vulnerabilities were found: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.
4) Target Breach Fallout: First announced in December 2013, the fallout from the Target breach extended well into 2014. During the year, both company CEO Gregg Steinhafel and CIO Beth Jacob stepped down and were replaced. In the end, data belonging to tens of millions of people is believed to have been affected. In response to the situation, the retail giant said that beginning in early 2015, its entire REDcard portfolio, including all Target-branded credit and debit cards, would be enabled with MasterCard’s chip-and-PIN solution. Eventually, all of Target’s REDcard products will be chip-and-PIN secured, the company stated.
5) Sony: Due to the international implications of the attack, the Sony Pictures data breach makes the list. In addition to the theft of mountains of corporate data – some of which included emails with controversial remarks about celebrities and the president of the United States – the attackers also used malware to wipe Sony’s hard drives and disrupt day-to-day operation. Earlier this month, the FBI pointed the finger at North Korea, and President Barack Obama promised that there would be a proportional response to the attack. Following this, North Korea experienced Internet outages its government has subsequently blamed the United States for. Meanwhile, researchers at Norse have cast doubt that North Korea was involved in the attacks at all.
In 2015, opined Rapid7 Global Security Strategist Trey Ford, companies should: 1) institute strong password policies; 2) use two-factor authentication for all external access; 3) frequently inventory, assess, and test controls to raise confidence that policies are enforced across the network; and 4) deploy account behavior monitoring and intruder detection to catch attackers that slip through.
“The technology needed to improve controls, and to better protect and monitor the use of user and administrative accounts exists today,” he said. “Given the lower barrier to entry for, and the strong economic forces and diverse motivations behind cyber-attacks, we expect attacks against organizations of all sizes and industries to increase in 2015.”