Security Experts:

Was 2015 the Year of Breach Fatigue?

In 2014, we consumers were beset with news of breaches at eBay, Home Depot, and J.P. Morgan Chase. By designating 2014 as “The Year of the Mega-Breach,” the security community had hoped to bring awareness to the challenge of protecting customer data. But it turns out that the breaches of 2015 make the previous year’s ones pale in comparison.

There were a crazy number of high-profile breaches in 2015. When combined with the previous year’s, there are so many that perhaps we’re become inured to them, even when it is our own data at risk. Have we reached the apex of breach awareness and are now descending into a trough of breach fatigue? What can we, as the security community, and we, as consumers, do about all the breaches? I have suggestions for both, but first, let’s look back at 2015’s greatest hits.

Premera Blue Cross hits home.

This one hit home when I received a letter that said my son’s PII had been taken by unknown assailants during the breach of Blue Cross Blue Shield. When my PII is stolen I just shrug it off, but the letter made me feel guilty. As a member of the security community, wasn’t I supposed to be making sure that this didn’t happen to innocents like my son? Another healthcare provider, Anthem, lost 80 million records to attackers. 80 million! The population of North America is only 500 million.

Was Office of Personal Management (OPM) the Breach of the Year?

For relevance, the OPM data breach, which impacted 21.5 million people, was likely the top breach of 2015. OPM breach victims could be at risk for decades to come, depending on who got the data. I asked an OPM victim and colleague who has top-secret clearance what he thought of the OPM breach. “I’m so compromised, it’s ridiculous. You know how sites do password recovery with questions like ‘What street did you live on?’ or ‘What was your mother’s maiden name?’ The OPM breach exposed all of that.” My colleague prefers to remain unnamed, which is kind of funny because he is literally looking into legally changing his name. He’s already investigating how hard it would be to change his social security number. He says it doesn’t look easy. The best possible case for my friend as a consumer is that a nation-state really was behind the OPM hack, and that his credentials aren’t being used against him by common Internet fraudsters.

Two Words: Ashley Madison.

Once synonymous with infidelity, the two words “Ashley Madison” are now synonymous with a cavalier attitude toward customer data. For obvious reasons, the operators of Ashley Madison should have had a better security posture than a typical web site. But they didn’t, and now thousands of lives are being shattered.

Security companies breached: Hacking Team, Kaspersky, and LastPass.

Speaking of security-minded sites. Italian cyber-security consultant Hacking Team was breached, as was LastPass, the makers of a password-retention tool. Kaspersky Lab revealed that they found digital footprints of a nation-state in their network.

If Kaspersky can’t keep intruders out, can anyone? Many people (with the exception of my OPM friend) seem to have even stopped caring about all the breach notifications. I’ve received four free credit reporting compensation prizes in the last two years. Only the first one makes any sense. What am I going to do with three more?

It’s hard to see how the breach situation could get much worse. Victims of the recent breaches are reporting an increase in targeted spear phishing attacks.

So what can the security community do? Stopping breaches is hard. Like, really hard. Everyone wants to encrypt data at rest, but that’s easier said than done. Automated systems still need to access the data, so you get an explosion of passwords stored all over the place. Plus, encrypted data becomes much harder to index.

Most organizations are (and should continue) investing in three areas instead:

• Anti-hacking systems such as IDS/IPS and web application firewalls

• Operational training for administrators, and security training for users

• Regular evaluations via DAST and red teams

Consumers can improve their security posture as well. The first and easiest step is to check to see if your personal information has been found in any of the beach data. Troy Hunt’s site does this for you. He can even notify you if he ever sees your email address in the future.

The second, and most obvious step is to use proper password hygiene. At least use different passwords for high-value accounts. Use two-factor authentication for very high-value accounts.

As we enter the new year, pessimists will be wondering if the escalation from 2014 to 2015 is any trend at all, and whether 2016 could be even worse. The optimists among us will hope that we’ve seen the worst of the breach epidemic.

view counter
David Holmes, CISSP, is a security researcher and a low-rent technical evangelist. He has a background in cryptography, application security, architecture, and development. He has spoken at more than 50 conferences, including RSA, InfoSec Europe, the Australian CyberSecurity Conference, and Gartner Data Center. He researches and writes regularly about cryptography, the Internet of Things, malware, policy, vulnerabilities, technical solutions, and the security industry in general as an expert contributor at SecurityWeek. Holmes studied Computer Science and Engineering Physics at the University of Colorado at Boulder and has awards from Toastmasters International. On Twitter he is @capmblade.