As we near the end of 2016, it’s time to reflect on some of the biggest security issues that we saw this year. 2016 was an interesting year in which many security issues came into focus. We saw many attacks with a goal of financial gain. We saw nation-states threatening cyberattacks around the US election. And, we saw the revival of the security versus privacy debate that rages on.
Attacks for Financial Gain
The FBI estimates that cyber-criminals collected at least $209 million between January and March of 2016 using ransomware attacks. Ransomware is malicious software that encrypts all data on a computer’s hard drive and sends the decryption key to an attacker. The attacker then demands that the victim pay a ransom to get the decryption key to recover the encrypted data.
Several ransomware attacks in 2016 occurred due to a vulnerability in the Apache Commons-Collections library that came to light in 2015. Attackers exploited this vulnerability, remotely installing ransomware on servers running unpatched versions of certain Java application servers.
One particularly high-profile attack that took place in 2016 was the attempted theft of almost $1 billion from Bangladesh Bank. Attackers installed malware on the bank’s systems to steal credentials for initiating fund transfers. They used the credentials to attempt to move $951 million to bank accounts in the Philippines and Sri Lanka. Luckily, a $20 million transfer was recovered. Additionally, thirty transactions totaling approximately $851 million were flagged for manual review. The attackers are suspected to have had help from Bangladesh Bank insiders.
2016 US Election
Cyberattacks were big news leading up to the 2016 election in the United States. Email accounts belonging to John Podesta and Colin Powell were hacked using phishing attacks. The DNC’s servers were also compromised, resulting in the theft of several staff members’ emails. Many of the stolen emails were published online—it is unclear whether that had any impact on the election.
Many blamed Russia for these attacks. US government officials even suggested that the US may attack Russia’s electric grid, telecommunications networks, and the Kremlin’s command systems in case any election day cyberattacks disrupted the election. Luckily, no such cyberattacks occurred. This is not the last time that we’ll see emails being stolen and published to attempt to sway public opinion, or nation-states threatening each other with cyberattacks.
Security vs Privacy
The notorious fight between Apple and the FBI was a high profile case that brought the security vs. privacy debate to the media forefront. The FBI had physical possession of an iPhone belonging to a terrorist who killed 14 people in San Bernardino, California. The iPhone’s filesystem was encrypted and protected using a password. Apple’s iOS software was written such that after 10 consecutive attempts to enter an incorrect password, the filesystem decryption key would be deleted, and the data stored on the phone would be lost forever.
The FBI wanted Apple to write software that would allow the FBI to brute-force the password on the device quickly without risking losing the decryption key. Apple refused, stating that the request equated to hacking its users and undermining security advancements. Ultimately, the FBI was able to unlock the iPhone without Apple’s help. This demonstrates the fact that it’s extremely difficult to protect data on a device when a skilled person has physical access to it.
The debate between security and privacy is unlikely to go away anytime soon.
We’ll continue to see governments attempting to put backdoors into software, cryptographic algorithms, and protocols. Hopefully, we’ll also continue to see resistance from the security industry.
We have seen many times that backdoors can introduce serious vulnerabilities. A recent example is the Logjam attack resulting from the TLS protocol design with support for weak “export-grade” cryptography. Additionally, government agencies don’t have the magical ability to keep their data and tools out of the hands of hackers.
If Apple had created a tool allowing the FBI to do what it wanted, it could have been leaked—much like several NSA hacking tools that were leaked online in 2016. It would certainly have been possible for Apple to create a tool to work on that particular iPhone. However, it would also have set a precedent. It would likely lead to the creation of a general purpose tool to run on any iOS device.
Predictions for 2017
There’s little doubt that we will continue to see plenty of security issues in 2017. Most attacks will likely target institutions that don’t have mature security programs. Here are some additional security predictions for 2017:
A security vulnerability in software running on vehicles will lead to a costly recall.
In recent years, we have seen several vehicle recalls due to bugs in software running within those vehicles. At least one of these recalls addressed remotely exploitable security vulnerabilities. Modern vehicles can run software containing as many as 100 million lines of code. As more and more vehicle manufacturers add cellular connectivity to their vehicles, vulnerabilities in the software may become remotely exploitable.
We will see a serious attack succeed due to an insufficiently secured cloud environment.
We saw this in 2014 with Code Spaces. As more and more organizations move their applications to cloud infrastructures, they must understand how to secure them. There is nothing inherently insecure about the cloud. However, organizations do need to understand how many security controls are different in the cloud.
An insider attack will lead to significant losses for an organization.
While many organizations are starting to take insider threats seriously, others aren’t. We see many applications lacking even the most basic controls for preventing and/or detecting attacks because they are only in use by the organization’s employees. Insiders may have been involved in the Bangladesh Bank incident that nearly resulted in a $1 billion loss. We’ll likely see more high-profile insider attacks in years to come.
How to Protect Your Organization
The outlook isn’t as gloomy as it may seem. There were plenty of organizations in 2016 that successfully thwarted cyberattacks. Keeping your organization safe from attacks requires a lot of conscious effort and a well-designed security initiative.
A great place to start is the Building Security In Maturity Model. Remember that security is a journey. Constantly work to improve security in your systems. This ensures that your organization doesn’t end up as the target of the next successful cyberattack.