14 Dec Lessons learned from the 7 major cyber security incidents of 2016
What to glean from the DNC and Yahoo hacks, the rise of ransomware
Cyber security incidents dominated headlines this year, from Russia’s hacking of Democrat emails to internet cameras and DVRs launching DDoS attacks, leaving the impression among many that nothing should be entrusted to the internet.
These incidents reveal technical flaws that can be addressed and failure to employ best practices that might have prevented some of them from happening.
+More on Network World: Gartner Top 10 technology trends you should know for 2017+
The most important lesson is that cybersecurity is a perpetual battle in which neither side gets the upper hand for long and that requires constant incident post-mortems to discover the next measures to keep data and communications safe.
Here is a look at seven such incidents and what lessons they afford.
The theft of emails from the Democratic National Committee not only revealed information that turned many away from Democratic presidential candidate Hillary Clinton, it also showed that Russia was trying to influence the election in favor of Republican Donald Trump.
U.S. intelligence services say the hack was likely the work of Russian hackers with possible ties to top Kremlin officials, although the opinion is not unanimous. Trump disputes even that Russia was involved at all. President Barack Obama has called for a report on the incident before he leaves office next month, but it’s likely the true nature and impact of the breach won’t be known for long after that, if ever.
The case points up the general difficulty of attributing attacks to particular actors with incontrovertible evidence. Researchers at security vendors have attributed this compromise to Russian groups Cozy Bear and Fancy Bear based on its tactics and methods, but that doesn’t link it conclusively to the Russian government.
What the incident does show is that politically motivated attacks can be effective and can be carried out without leaving a smoking gun.
The attack exposes the influence foreign states can have over any country’s elections. More narrowly, candidates and their parties need to pay more attention to better network security if they hope to avoid this type of attack in the future, regardless of who the perpetrator is.
Dyn DDoS attack
This massive DDoS attack against major DNS service Dyn had more spectacular results than the perpetrators likely hoped for.
It was noteworthy for enlisting tens of thousands of internet of things (IoT) devices into a botnet that carried out much of the attack. Three waves of traffic hit Dyn Oct. 21, focusing on different Dyn data centers.
+More on Network World: 20 years ago: Hot sci/tech images from 1996+
The attack was made more potent because when Dyn’s servers became flooded, DNS requests went unanswered long enough so the requesting machines – legitimate ones and bots – sent follow-up requests, compounding the traffic flood.
Because Dyn served major customers – Amazon, Etsy, GitHub, Shopify, Twitter – addresses for traffic headed their way couldn’t be resolved. Because these victims are so high-profile, it seemed to some that the internet was broken.
The lesson for enterprises is doubling or tripling up on their DNS providers so if one goes down, there’s a backup. They should look at lowering the time-to-life settings on their DNS servers so when attacks like this do occur they can redirect traffic faster to the backup DNS providers.
Thieves stole 2.6 TB of data from the Panamanian law firm Mossack Fonesca, making this a major breach based on the volume of stolen information alone. Add to the mix that the data included details about how 70 past and current world political figures hid income from revenue officials in offshore accounts and the importance is even bigger.
The prime minister of Iceland was forced to step down due to the scandal, while officials in the U.K., France, Austria, South Korea and Pakistan faced public outcry.
+More on Network World: Your robot doctor overlords will see you now+
The culprit is unknown, but researchers probing the law firm’s network found multiple applications and plugins that weren’t kept up to date and contained vulnerabilities. Network architects didn’t employ least privilege for administrators, so hacking just one set of credentials would expose more systems than it might have if admins had access to the minimum number of systems needed to do their jobs.
When Yahoo announced Sept. 22 that half a billion of its accounts had been hacked, it was the largest ever hack of its kind. Then it came out that the actual compromise happened in 2014, elevating the incident into the realm of the incredible.
Beyond the uncountable effects of that many accounts being vulnerable for that long of a time, the breach threw the $4.8 billion sale of Yahoo to Verizon into turmoil. It still hasn’t gone through, with speculation being that Verizon wants to trim $1 billion from the price because the hack affects Yahoo’s value.
The entire fiasco holds lessons for consumers: use strong, unique passwords for all accounts and change them regularly.
It also is an object lesson for businesses and other entities that might some day have to explain a breach – get out in front of the problem and be open with facts about how it happened and what’s being done to fix it. Also – and this is difficult to specify – they should employ detection platforms that expose such breaches more quickly.
NSA Shadow Brokers leak
Shadow Brokers, a hacking group of uncertain membership, tried to sell what it described as hacking tools stolen from an equally mysterious organization called Equation Group.
The importance is that Equation Group may have links to the NSA and Shadow Brokers may have links to Russia. One theory goes that Russia exposed the alleged NSA tools as a way to embarrass the NSA and weaken whatever response the U.S. might initiate against Russia for its alleged hack of the Democrat National Committee.
The advertised sale of the tools may have been a ploy to give the story wider attention and so a greater impact against the NSA.
It turns out the tools work against specific devices made by specific vendors were years old, and the tools may have been lifted from a single NSA server on which careless operatives had left them.
The importance is that it seems a Russian group hacked an NSA server to capture cyber spy tools.
$65 million bitcoin hack
Bitfinex, the bitcon trading platform, was hacked for nearly 120,000 bitcoin Aug. 2, an attack that undermined the company’s three-tiered and purportedly impregnable key-exchange architecture.
The hack was the third largest bitcoin heist, but Bitfinex is the largest platform for converting bitcoin to U.S. dollars so it resonated widely. Bitfinex spread the loss across all its customers’ accounts – 36% of each account’s value.
Beyond that, the exchange was using a complex authentication that required two factors, one held by Bitfinex and one by its security partner BitGo. It was supposed to be highly secure. Compromising both companies would be required if thieves wanted to steal funds, the company said when it set up the scheme. BitGo says its system wasn’t compromised.
The lesson is that even the most sophisticated bitcoin exchanges are still susceptible to hacks and individuals and organizations using them should take steps to minimize their exposure.
Ransomware v. healthcare
Dozens of ransomware incidents this year were carried out against health care institutions, revealing how easy and lucrative ransomware has become as a business as well as how low criminals will stoop when choosing victims.
Many healthcare providers who were hit didn’t have backups or other means to recover quickly from the attacks and so they paid the ransom. More than one that paid was hit again by the same actor coming back for a second bite of the apple.
These incidents are likely to continue as long as it’s relatively simple to infect a victim and extort payment. Ransomware as a service is cropping up in the internet underworld, making it a threat to consumers as well as giant corporations.
The prevalence of these attacks should serve as warning that businesses in any field should have reliable, secure backups that can recover machines that have been encrypted by ransomware. And they should have systems that detect these infections early so they can be isolated to minimize the damage they do.