A Year In Cybersecurity: Have We Learned Anything?
In insight / By Phil Muncaster / 18 December 2018
The past 12 months have been a year like no other and a year like any other. We’ve seen the same old breaches plus newer website skimming attacks; fraud continuing to rise; vulnerabilities and legacy systems ex¬posed; phishing and social engineering threats on the increase; and supply chain risk an ever present. In years to come, 2018 could represent a tipping point in GDPR and NIS Directive-driven improvements to baseline security across British companies. But it’s too early to say yet. As we close out the year, the same old predictable threats, challenges and mistakes loom large.
Credentials: still a blind spot
As always, passwords were at the centre of many security incidents in 2018. This is true in the consumer sphere, of course, where users usually resort to easy-to-remember logins shared across multiple accounts. But the problem is that every consumer is also an employee. So, what happens when your employees do the same? RepKnight found out at the start of the year.
After scouring the dark web and paste and dump sites for domains linked to the UK’s top 500 law firms, it found over one million corporate email addresses — an average of 2,000 per firm. Some 80% of these had an associated password, either stored in cleartext or hashed with a crackable protocol. Why? Because employees had registered for third-party sites with their corporate email address, and those sites had then been breached. This could leave many of these law firms wide open to follow-on attacks.
It’s a pattern likely to be repeated across most sectors.
Elsewhere, Carphone Warehouse was fined £400,000 by the ICO after a massive failure of security policy. This included the storage of plaintext credentials, which subsequently allowed attackers to open databases filled with the personal information of millions of customers back in 2015. This was just one of a litany of mistakes and should be viewed as a cautionary tale by security bosses.
Same old problems
The Carphone Warehouse was also said not to have enforced its own corporate “patch management standard” and ran inadequate vulnerability scanning/pen testing programmes. These are basic steps all firms should by now be on board with. Yet in 2018, time and again they were found wanting. A study of 3,000 global security professionals from ServiceNow revealed that more than half (57%) of breach victims believe they were caught out because of a patchable vulnerability. Many organisations also continue to run legacy systems. A Freedom of Information (FOI) request from IT provider Comparex UK found that nearly half of English councils were still running one or more of: Windows Server 2000, Windows Server 2003 and Microsoft SQL Server 2005.
That’s alongside other perennial security issues such as lost mobile devices. An FOI request submitted to the BBC revealed it has reported over 170 lost (81) and stolen devices (91) over the past two years. And Heathrow Airport Limited (HAL), was fined £120,000 by the ICO after losing a USB drive containing highly sensitive information on an upcoming visit by the Queen.
Crypto-jacking vs ransomware
Another major trend sweeping through 2018 was the rise and rise of crypto-mining malware. The narrative throughout has been that it’s an easier way to make money than ransomware, so is seeing greater take-up. One provider saw an increase in crypto-mining detections of 956% from H1 2017 to H1 2018. Although there’s no data loss involved, the malware itself can lead to higher energy costs, and wear out equipment. One Canadian university was even forced to shut down its IT network for several days, highlighting the potential impact.
However, it would be foolish to assume the ransomware threat is now a thing of the past. Europol this year labelled it the biggest malware threat facing organisations today and that it would remain a major threat for years to come. It emerged this year that WannaCry cost the NHS £92 million in IT overtime and lost output. But beyond ransomware worms like this, the trend appears to be of more targeted attacks, such as those associated with the SamSam variant. Two Iranian men were recently charged with these attacks, which have caused $30m (£24m) in losses for hospitals, local authorities and others over the past three years.
Supply chain risk
This year, partly thanks to the renewed focus on security driven by new laws coming in from Europe, experts have tried to stress the need for improved vetting of third-parties. The digital supply chain is particularly at risk, as we saw with breaches at recruitment platform PageUp which had a major knock-on impact, and online survey provider Typeform. A National Cyber Security Centre report warned: “When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect.”
Another great example was the wave of Magecart attacks that affected hundreds of e-commerce firms around the world this past year. While some of the groups using this malicious digital skimming code infected sites directly, others decided to infect third-party providers, such as Ticketmaster partner Inbenta Technologies. It’s clear that firms need to get better at vetting third-party code and ensuring partners and contractors are audited to the same standards of security.
A new era of regulation
It’s a little over six months since the GDPR was introduced and to an extent we’re still in the “phoney war” period. Things have gone eerily quiet as many firms presumably continue to play catch-up with compliance plans. However, the legislation does seem to be forcing change. One study of German and UK firms found 38% had been forced to completely change their security policies with third-parties and a further 24% to partially change policies. Many firms are still looking for that headline case, the first major fine, which they’ll be able to use as a yardstick for how much extra they need to invest and where. It could come sooner than people think, with the Marriott International group recently admitting a breach of 500m customers.
The ICO has spent much of 2018 issuing major fines under the old regime, to the likes of Facebook (£500K), Uber (£385K) and Equifax (£500K). UK firms would be advised to make sure they’re doing everything they can to follow best practice data security.
The same goes for operators of essential services (OES), now regulated by the NIS Directive. It’s had less publicity this year than the GDPR but has an important job in helping to drive up standards in critical infrastructure (CNI) sectors. Unfortunately the government is still not showing enough leadership in this area, a new parliamentary committee report has argued. Firms will have to do much of the running themselves.
As they stand at the end of 2018, security bosses are faced with another year of rising threat levels and complexity, tightening regulatory restrictions and continued pressure to support digital transformation initiatives. In the face of these challenges, cool heads and analytical minds are needed as always, but also a renewed focus on articulating threats in terms of business risk. That’s the best and only way to get buy-in and budget for upcoming projects.