Destiny Bertucci: Head Geek, SolarWinds
Data breaches are not a new phenomenon by any stretch, but last year we had some very high profile cases that we should all take heed of. Constant technological advancements, growing business demands and increasing prevalence of tools such as machine learning combined with growing hacker expertise are making attacks more sophisticated, harder to detect and unpredictable.
It’s important to remember that securing your infrastructure and data should be a focal point for both you and your IT department. Just last March the chairman of ASIC, Greg Medcraft said Australian companies faced a “frightening” number of potential cyber-attacks, highlighting it as an enormous problem now and in the future. There’s perhaps no better evidence of this fact than taking a look at some of the most prominent security incidents of the last year, which ended up being a very eventful year in cybersecurity.
Learning from mistakes: some of the Biggest Data Breaches of 2016
Red Cross Blood Service
Last October over one million personal and medical records of Australian citizens donating blood were exposed online. This became Australia’s biggest data breach in history. Donor records plus personal details were revealed going back as far as 2010 and published on a public website with. The information was available online for over a month and impacted over 550,000 individual donors. The breach was not detected and found by an anonymous source.
Yahoo! (Part 1)
In September 2016, Yahoo! ® announced that in late 2014, it had fallen victim to a data breach that resulted in the loss of at least 500 million accounts. At the time, this was the largest breach of a single site in history. Stolen information included e-mail addresses, passwords, full user names, dates of birth, and telephone numbers.
Yahoo! (Part 2)
Less than three months after disclosing its first data breach, Yahoo! announced a second breach that was discovered while investigating the 2014 breach. The second reported breach took place in 2013, and may have compromised over 1 billion Yahoo! accounts and associated personal data—a breach three times as big as all major retail breaches in the past decade combined. Authorities are still investigating how the 2013 breach was achieved. In the meantime, all Yahoo! users have been encouraged to change their account password, as well as any other online accounts with the same login credentials, and switch to Yahoo! Account Key, a tool that authenticates a user’s identity with a mobile phone rather than a password.
Snapchat
Early in 2016, Snapchat® revealed that its stored information regarding current and past employees had been compromised in a phishing incident. This announcement came just two years after a massive amount of their data was leaked in late 2013. A hacker posed as Snapchat CEO, Evan Spiegel, and requested sensitive information like Social Security numbers and payroll information. Unfortunately, the Snapchat internal security system and employees were both unable to detect the scam until the information had been shared. After reporting the incident to the FBI, Snapchat was able to regain control of its employee data.
Cisco
Imagine merely applying for a job and then suddenly finding yourself the potential victim of a data breach. That’s exactly what happened in late 2016, after an incorrect security setting on the mobile version of Cisco’s Professional Careers website created a privacy hole that exposed the personal information of job seekers. The security vulnerability exposed sensitive data including names, addresses, emails, phone numbers, usernames, passwords, answers to security questions, resumes, and cover letters. In response, Cisco® said it reset user passwords and disabled the ability to access the site via security questions.
LinkedIn and Myspace
The 2016 LinkedIn® breach expanded on the 6.5 million encrypted passwords that were exposed and posted online after a breach in 2012. The more recent attack allegedly included 167 million LinkedIn accounts. The problem was extremely pervasive, as not only did LinkedIn’s outdated security policy mean the encrypted passwords were easier to unscramble, but many end-users often reuse passwords, thus offering attackers potential access to much more sensitive data.
Just one week later, it was revealed that 360 million user emails and passwords were stolen from MySpace®.
What should I do?
Despite these incidents, it’s important for IT professionals to think of the best practices that, when applied alongside knowledge of recent security trends and attacks, will help bring you one step closer to a safer internet every day. These include:
- User education – a main goal for ITPros, if staff don’t understand the risks of phishing and social engineering scams and the impact then they are your weakening link
- Plan and document security policies and rules
- Institute an incident response plan
- Employ an arsenal of tools to monitor and help prevent attacks in real-time, including anti-malware, data loss prevention, security information and event management (SIEM), and patch management
- Know the baseline normal performance across your environment; set up alerts for increases in bandwidth usage, CPU, memory, volume, and interface utilization
- Establish a set password expiration/rotation policy
- Consider the security impact of new devices like wearables and Internet of Things (IoT) devices that may be connecting to your corporate network, and educate end-users appropriately
- Restrict administrator rights on all systems, if possible