What was, what is and what should never be
A look at 2014, 2015 and beyond in data breach terms with Stephen Coty
The US Target data breach was the first of many major retail point-of-sale (POS) system breaches in 2014. Target's cash registers were infected with a malware strain that stole payment card information.
This use of malware is not surprising, given that we have seen more POS malware in the past year than since 2007 or 2008, with variants including BlackPOS, Kaptoxa, Backoff, Chewbacca and updated versions of Dexter, Alina and VSkimmer.
Attacks on other retailers such as Jimmy John's, PF Chang's, Kmart, and Home Depot followed.
Retailers will continue to be a major target in 2015 and, as they start implementing tighter security strategies, the attack vector will change.
We will see more data exfiltration from online e-commerce sites that rely on open source or low-cost POS systems that may not be as secure as an onsite POS network that is segregated from the rest of a corporate network.
As the retail industry begins to invest in its security posture, victims of POS attacks through brick and mortar retail stores may decline.
We have seen malicious actors, such as the Rescator group that was responsible for the breaches at Target, Home Depot, PF Chang's, and others, improve their skills and reinvest in their operations to compromise retail and e-commerce environments.
Rescator has traditionally targeted vulnerable websites with SQL injections and X site scripting (XSS) attacks. They will go back to their roots of compromising websites, but instead of just using SQLite and XSS, they will weaponise their successful POS malware to target more online commerce sites, exploiting inexpensive and open source POS platforms.
Having a solid, in-depth security strategy will assist in defending against these types of attacks. Whether a customer is in the cloud or not, there are several security technologies that can be implemented so long as you support them with people and processes.
Managed security services may appeal to customers that cannot afford their own security programme.
In 2013, the healthcare industry lost more personally identifiable information (PII) than any other industry. PII theft has historically been profitable, demanding black-market prices 10 times that of credit card details.
Healthcare PII data can be used to create fake identities for criminals and mask their personal data – perhaps even help terrorist organisations disguise their agents.
However, the attack vector really changed in 2014; the new targets became businesses that support the healthcare industry through medical devices and technologies.
A US Federal Drug Administration bulletin identified 300 medical devices vulnerable to exploits. Security researcher Barnaby Jack has demonstrated wireless hacking of insulin pumps and pacemakers.
This trend will continue in 2015, with more medical technology manufacturers becoming a primary target of some state-sponsored industrial espionage and organised criminal hacking groups. Will 2015 see the first online murder through such a vulnerability? Obviously, medical devices need proper security.
Healthcare facilities also need to do a better job at securing their environments and implementing a solid security programme with sufficient resources.
Higher education institutions are also an attractive target for identity and information theft because of the sensitive PII data available from students, faculty and alumni.
Universities in particular are at risk due to the inexperience of the users on their networks. This creates paths for multiple infections and rampant use of unsupported software and tools.
Unfortunately, the cost of an in-depth security strategy using the latest technology, processes and experts is often beyond the budget of universities.
According to the FBI, some nation-states are also interested in stealing classified information and intellectual property from universities, possibly to avoid doing the research and development themselves, or to help them spread false information for political or other reasons.
It is not unusual for campuses to be the targets of phishing emails with attached malware or computer intrusions with the intent to access confidential research or exploit social media networking sites.
To mitigate risk, educational institutions should consider storing sensitive data via private cloud technology. After all, the primary purpose of a private-cloud service provider is to provide availability and security for the data stored in its datacentres.
In 2014, the oil, gas and energy industries saw a few new groups produce advanced malware that targets supervisory control and data acquisition (SCADA) systems. Cyberspying organisation Energetic Bear has ties with the Russian government – making this group an interesting adversary.
Energetic Bear has been around since 2011 and was incredibly effective at updating malicious code and attack vectors in 2014. Its primary attack vector was a series of phishing emails deployed at an energy organisation with exploits against popular everyday products such as Adobe Reader and Microsoft Office.
Energetic Bear has also been launching attacks using Havex, a tool that has SCADA system search functions and Remote Access Trojan (RAT) capabilities. Havex may be an updated version of the SYSMain RAT that the group has used in prior attacks.
Attacks against infrastructure monitoring systems can be detected and defences built to deny the attacker a desired target. Proper network segmentation, security tool implementation and constant patching are a few of several ways to protect your customer's environment.
Using threat intelligence to understand the adversaries could reveal their motives and assist in detecting and mitigating vulnerabilities before they are exploited.
2015 will produce more malware that will affect multiple industries. We will see new malicious actors and a revived list of old ones. We will see more groups starting to team up on operations to compromise their common targets.
This also highlights the need for information sharing among industry groups. If companies can tear down the barriers that prevent them sharing information on phishing campaigns, malware received, IP addresses and locations of malicious actors attempting to compromise their environments, other attacks may be prevented.
We are all in this together and need to work together to glean collective intelligence to fight attackers who are becoming more organised themselves.
Stephen Coty is chief security evangelist at Alert Logic