#1 – YahooWhat? The first time a major corporation, up for sale, was double dipped for a breach in one year and holds the title for the largest breach ever for a single company. What makes this breach so compelling? As if being the worst breach of 2016 wasn’t enough, the initial breach occurred three years prior to public disclosure and the second breach was only discovered due to forensics of the first breach. What was the impact? Over a billion accounts in total where compromised. What lessons were learned?
- Trust your security teams and do not isolate them.
- Do not put all your crown jewels in one database.
- Follow the law and ethics for proper breach disclosure.
#2 – Democratic National CommitteeWhat? The FBI and DHS released a document outlining how two Advanced Persistent Threats (APT 28 and APT 29) used spear phishing and malware to infiltrate the US political system and provide covert operations to tamper with the US election process. What makes this breach so compelling? The blame is squarely aimed at a nation state attack. What was the impact? All government and political agencies should take specific, defined steps to stop this type of intrusion. The problem is, these recommendations are nothing new and form the basis for security guidelines already established from NIST. What lessons were learned?
- Guidelines for privileges, vulnerability assessment, patching, pen testing, etc all exist in established frameworks like NIST 800-53v4.
- Agencies need to do a better job implementing established frameworks and measuring their success.
#3 – Mirai (IoT Devices)What? With the public release of the Mirai malware source code, attackers created a botnet that leverage default passwords and unpatched vulnerabilities to create a sophisticated worldwide botnet that can cause massive DDOS attacks. What makes this breach so compelling? Mirai was successfully used multiple times in 2016 to disrupt the Internet in the US via DDOS against the DNS services provided by Dyn to telecoms in France and banks in Russia. What was the impact? The Internet of Things has taken over our home and corporate networks; quite literally. What lessons were learned?
- Devices that cannot have their software, passwords, or firmware updated should never be implemented.
- Changing the default username and password is recommended for the installation of any device on the Internet.
- Passwords for IoT devices should be unique per device; especially when they are connected to the Internet.
- Always patch IoT devices with the latest software and firmware to mitigate vulnerabilities.
#4 – LinkedInWhat? An attack over four years ago was publically leaked in early 2016. What makes this breach so compelling? Users that had not changed their passwords since then found their usernames, email addresses, and passwords publically available on the dark web. Easy pickings for a hacker What was the impact? 117 million LinkedIn users. What lessons were learned?
- Change your passwords frequently. A four-year-old password is probably just asking for trouble.
- Never re-use your passwords on other sites. That four-year-old breach could easily lead to someone trying that same password on another social media site or email account and compromise other accounts simply because the same password was used in multiple places.
#5 – Internal Revenue ServiceWhat? The attack vector was against the “Get Transcript” service used for everything from college loans to sharing your tax returns with authorized third parties. Due to the simplicity of the system, a social security number could be used to retrieve information and then create fake tax returns amounting in a refund and forwarded funds electronically to a rogue bank account. What makes this breach so compelling? This is one we should not forget since it happened twice – once in 2015 and again in early 2016. It is noteworthy because the system, like Yahoo, was breached twice, fixed, but still had severe flaws that allowed it to be breached again. What was the impact? The scope of the breach was grossly underestimated from early accounts of 100,000 users to over 700,000 in the end. It is unknown if this will surface again for 2016 returns. What lessons were learned?
- Penetration testing fixes are crucial. Just because you fixed one flaw does not mean the service is secure.
- Forensics is critical after an incident or breach. To have a seven-fold magnitude of order on the number of accounts affected indicates that no one really understood the scope of the problem to begin with.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.