Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Was 2015 the Year of Breach Fatigue?

In 2014, we consumers were beset with news of breaches at eBay, Home Depot, and J.P. Morgan Chase. By designating 2014 as “The Year of the Mega-Breach,” the security community had hoped to bring awareness to the challenge of protecting customer data. But it turns out that the breaches of 2015 make the previous year’s ones pale in comparison.

In 2014, we consumers were beset with news of breaches at eBay, Home Depot, and J.P. Morgan Chase. By designating 2014 as “The Year of the Mega-Breach,” the security community had hoped to bring awareness to the challenge of protecting customer data. But it turns out that the breaches of 2015 make the previous year’s ones pale in comparison.

There were a crazy number of high-profile breaches in 2015. When combined with the previous year’s, there are so many that perhaps we’re become inured to them, even when it is our own data at risk. Have we reached the apex of breach awareness and are now descending into a trough of breach fatigue? What can we, as the security community, and we, as consumers, do about all the breaches? I have suggestions for both, but first, let’s look back at 2015’s greatest hits.

Premera Blue Cross hits home.

This one hit home when I received a letter that said my son’s PII had been taken by unknown assailants during the breach of Blue Cross Blue Shield. When my PII is stolen I just shrug it off, but the letter made me feel guilty. As a member of the security community, wasn’t I supposed to be making sure that this didn’t happen to innocents like my son? Another healthcare provider, Anthem, lost 80 million records to attackers. 80 million! The population of North America is only 500 million.

Was Office of Personal Management (OPM) the Breach of the Year?

For relevance, the OPM data breach, which impacted 21.5 million people, was likely the top breach of 2015. OPM breach victims could be at risk for decades to come, depending on who got the data. I asked an OPM victim and colleague who has top-secret clearance what he thought of the OPM breach. “I’m so compromised, it’s ridiculous. You know how sites do password recovery with questions like ‘What street did you live on?’ or ‘What was your mother’s maiden name?’ The OPM breach exposed all of that.” My colleague prefers to remain unnamed, which is kind of funny because he is literally looking into legally changing his name. He’s already investigating how hard it would be to change his social security number. He says it doesn’t look easy. The best possible case for my friend as a consumer is that a nation-state really was behind the OPM hack, and that his credentials aren’t being used against him by common Internet fraudsters.

Two Words: Ashley Madison.

Once synonymous with infidelity, the two words “Ashley Madison” are now synonymous with a cavalier attitude toward customer data. For obvious reasons, the operators of Ashley Madison should have had a better security posture than a typical web site. But they didn’t, and now thousands of lives are being shattered.

Advertisement. Scroll to continue reading.

Security companies breached: Hacking Team, Kaspersky, and LastPass.

Speaking of security-minded sites. Italian cyber-security consultant Hacking Team was breached, as was LastPass, the makers of a password-retention tool. Kaspersky Lab revealed that they found digital footprints of a nation-state in their network.

If Kaspersky can’t keep intruders out, can anyone? Many people (with the exception of my OPM friend) seem to have even stopped caring about all the breach notifications. I’ve received four free credit reporting compensation prizes in the last two years. Only the first one makes any sense. What am I going to do with three more?

It’s hard to see how the breach situation could get much worse. Victims of the recent breaches are reporting an increase in targeted spear phishing attacks.

So what can the security community do? Stopping breaches is hard. Like, really hard. Everyone wants to encrypt data at rest, but that’s easier said than done. Automated systems still need to access the data, so you get an explosion of passwords stored all over the place. Plus, encrypted data becomes much harder to index.

Most organizations are (and should continue) investing in three areas instead:

• Anti-hacking systems such as IDS/IPS and web application firewalls

• Operational training for administrators, and security training for users

• Regular evaluations via DAST and red teams

Consumers can improve their security posture as well. The first and easiest step is to check to see if your personal information has been found in any of the beach data. Troy Hunt’s site haveibeenpwned.com does this for you. He can even notify you if he ever sees your email address in the future.

The second, and most obvious step is to use proper password hygiene. At least use different passwords for high-value accounts. Use two-factor authentication for very high-value accounts.

As we enter the new year, pessimists will be wondering if the escalation from 2014 to 2015 is any trend at all, and whether 2016 could be even worse. The optimists among us will hope that we’ve seen the worst of the breach epidemic.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.