It’s popular this time of year to look back, assess what we may have learned in the past year, and resolve to make changes going forward. Unfortunately, for cybersecurity, this process is more like a never-ending hamster wheel instead of a nice, neat, clean linear process. Let’s take a look at the five worst breaches announced in 2016, see if there is anything we can learn from them, and predict what 2017 might look like. More than anything else, I hope that what George Santayana said doesn’t come true – that, "Those who do not learn history are doomed to repeat it."
#1 – Yahoo
What? The first time a major corporation, up for sale, was double dipped for a breach in one year and holds the title for the largest breach ever for a single company.
What makes this breach so compelling? As if being the worst breach of 2016 wasn’t enough, the initial breach occurred three years prior to public disclosure and the second breach was only discovered due to forensics of the first breach.
What was the impact? Over a billion accounts in total where compromised.
What lessons were learned?
- Trust your security teams and do not isolate them.
- Do not put all your crown jewels in one database.
- Follow the law and ethics for proper breach disclosure.
#2 – Democratic National Committee
What? The FBI and DHS released a document outlining how two Advanced Persistent Threats (APT 28 and APT 29) used spear phishing and malware to infiltrate the US political system and provide covert operations to tamper with the US election process.
What makes this breach so compelling? The blame is squarely aimed at a nation state attack.
What was the impact? All government and political agencies should take specific, defined steps to stop this type of intrusion. The problem is, these recommendations are nothing new and form the basis for security guidelines already established from NIST.
What lessons were learned?
- Guidelines for privileges, vulnerability assessment, patching, pen testing, etc all exist in established frameworks like NIST 800-53v4.
- Agencies need to do a better job implementing established frameworks and measuring their success.
#3 – Mirai (IoT Devices)
What? With the public release of the Mirai malware source code, attackers created a botnet that leverage default passwords and unpatched vulnerabilities to create a sophisticated worldwide botnet that can cause massive DDOS attacks.
What makes this breach so compelling? Mirai was successfully used multiple times in 2016 to disrupt the Internet in the US via DDOS against the DNS services provided by Dyn to telecoms in France and banks in Russia.
What was the impact? The Internet of Things has taken over our home and corporate networks; quite literally.
What lessons were learned?
- Devices that cannot have their software, passwords, or firmware updated should never be implemented.
- Changing the default username and password is recommended for the installation of any device on the Internet.
- Passwords for IoT devices should be unique per device; especially when they are connected to the Internet.
- Always patch IoT devices with the latest software and firmware to mitigate vulnerabilities.
#4 – LinkedIn
What? An attack over four years ago was publically leaked in early 2016.
What makes this breach so compelling? Users that had not changed their passwords since then found their usernames, email addresses, and passwords publically available on the dark web. Easy pickings for a hacker
What was the impact? 117 million LinkedIn users.
What lessons were learned?
- Change your passwords frequently. A four-year-old password is probably just asking for trouble.
- Never re-use your passwords on other sites. That four-year-old breach could easily lead to someone trying that same password on another social media site or email account and compromise other accounts simply because the same password was used in multiple places.
#5 – Internal Revenue Service
What? The attack vector was against the “Get Transcript” service used for everything from college loans to sharing your tax returns with authorized third parties. Due to the simplicity of the system, a social security number could be used to retrieve information and then create fake tax returns amounting in a refund and forwarded funds electronically to a rogue bank account.
What makes this breach so compelling? This is one we should not forget since it happened twice – once in 2015 and again in early 2016. It is noteworthy because the system, like Yahoo, was breached twice, fixed, but still had severe flaws that allowed it to be breached again.
What was the impact? The scope of the breach was grossly underestimated from early accounts of 100,000 users to over 700,000 in the end. It is unknown if this will surface again for 2016 returns.
What lessons were learned?
- Penetration testing fixes are crucial. Just because you fixed one flaw does not mean the service is secure.
- Forensics is critical after an incident or breach. To have a seven-fold magnitude of order on the number of accounts affected indicates that no one really understood the scope of the problem to begin with.
For 2017, I think you should expect more of the same. Nation States, IoT devices, and high profile companies will be the focus of breach reporting. I believe there will be an uptick of coverage on privacy laws governing IoT devices and the sharing of information contained within them. This will cover everything from devices like Amazon Echo to information flowing from EMEA, to the USA, and ASIAPAC within companies.
What types of breaches are you most worried about in 2017? Download our free Privilege Discovery and Reporting Tool or Retina IoT scanner to uncover where your biggest risks might be.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12-year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.