If 2014 Was The Year Of The Data Breach, Brace For More

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://truebluetribune.com/if-2014-was-the-year-of-the-data-breach-brace-for-more/124439

Data breaches dominated headlines in 2014, and they appear poised to usher
in 2015 as well.  While the cybersecurity plights of certain high-profile
retailers, financial institutions, and one prominent movie studio became
common knowledge and headline fodder, these companies were far from the
year’s only victims.  In fact, a recent study found that more than 40% of
companies experienced a data breach of some sort in the past year – four
out of ten companies that maintain your credit card numbers, social
security numbers, health information, and other personal information.  That
number is staggering, and shows no signs of retreat.

It is against that backdrop and at the end of 2014—dubbed by some as the
“year of the breach”—that we revisit several notable cybersecurity
developments from the prior year.

Data breaches dominated headlines in 2014, and they appear poised to usher
in 2015 as well.  While the cybersecurity plights of certain high-profile
retailers, financial institutions, and one prominent movie studio became
common knowledge and headline fodder, these companies were far from the
year’s only victims.  In fact, a recent study found that more than 40% of
companies experienced a data breach of some sort in the past year – four
out of ten companies that maintain your credit card numbers, social
security numbers, health information, and other personal information.  That
number is staggering, and shows no signs of retreat.

It is against that backdrop and at the end of 2014—dubbed by some as the
“year of the breach”—that we revisit several notable cybersecurity
developments from the prior year.

Bugs, Bugs, Bugs

The creativity employed by cyber criminals was matched only by the
creativity used to name their tools.  The “Heartbleed Bug,” for example,
threatened software that is widely used to encrypt certain web traffic,
including sensitive data.  The bug left exposed encryption keys and
information sent over the Internet that previously was thought encrypted,
including email, usernames, passwords, financial account numbers, and other
confidential data.  The bug may have allowed hackers to obtain this
information without leaving a trace.

“Backoff” malware allowed hackers to pilfer consumer payment information,
such as credit card numbers and the like, from point-of-sale terminals.
The hackers targeted what are known as remote desktop applications, which
allow you to access your work computer from home and companies to provide
centralized IT support to point-of-sale terminals in disparate locations
such as malls and retail stores.  The hackers used brute force techniques
to crack passwords and to access administrative and other accounts.  They
then deployed Backoff to acquire customer names, mailing addresses,
credit/debit card numbers, phone numbers, and email addresses.

“Shellshock,” an easy-to-exploit bug present in millions of computer
systems, allowed hackers to download and install malware; delete, modify,
or steal information; obtain administrative access; and disable systems.
Researchers also suggested that Shellshock was “wormable,” meaning that a
hacker could load a self-replicating worm on a few systems and watch it
replicate across the Internet.

Heartbleed, Backoff, and Shellshock were a worrisome trio in 2014, but they
were not alone and will surely give way to the discovery of new bugs and
malware in the coming year.

The Cybersecurity Framework

Leon Panetta once said that “[t]he next Pearl Harbor we confront could very
well be a cyber attack that cripples our power systems, our grid, our
security systems, our financial systems, our governmental systems.”  It is
with that potential in mind that the President directed the National
Institute of Standards and Technology (NIST) to develop a Cybersecurity
Framework for use by critical infrastructure organizations—i.e., those
organizations that maintain systems or assets that, if incapacitated or
destroyed, would have a debilitating impact on national security, economic
security, or public health.  Critical industries include transportation,
financial services, energy and utilities, government, and others, and their
importance to the national security and economy cannot be understated.

The Cybersecurity Framework, issued earlier this year, relies on recognized
industry standards to provide a mechanism by which companies can assess
their current and desired levels of security, and then to implement
measures to close any gap between the two.  While not yet a year old, the
Framework has attracted heavy industry attention and debate, with some
praising its potential effectiveness and others concerned that the
otherwise voluntary Framework will become mandatory or a de facto standard
of sorts against which companies will be judged.

DOJ Indicts Chinese Military Officers

The Department of Justice (DOJ) announced an indictment in May that accused
five Chinese military officers of hacking prominent businesses in the
United States in an attempt to steal trade secrets.  The indictment marked
the first time the United States has brought formal cybersecurity charges
against a state actor for state-sponsored hacking and signals the
government’s willingness to prosecute such actors in the current
geopolitical environment.  The case is currently pending in the Western
District Court of Pennsylvania.

Federal Agencies Increasingly Active

While DOJ made headlines on the criminal side, others made headlines on the
civil side.  The Federal Trade Commission (FTC) scored a major victory in
FTC v. Wyndham Worldwide Corp., a case that marks the first time a federal
court has upheld the FTC’s authority to bring enforcement actions against
private companies that allegedly engage in unreasonable data security
practices.  Likewise, the Federal Communications Commission issued a first
of its kind $10 million fine against two different telecommunication
carriers for alleged “unjust and unreasonable” data-security practices in
connection with phone services to low-income consumers, posing a new
liability risk to companies in that sector.

Wyndham Worldwide aside, many harbor doubts as to the authority of these
agencies to regulate corporate cybersecurity practices and will likely
continue to challenge such authority in court for the foreseeable future.

Congresses Passes Cybersecurity Legislation

The President recently signed into law five cybersecurity-related bills
that together represent the largest legislative package on the topic to
come out of Congress in more than a decade.  The laws address, among other
things, the creation of the National Cybersecurity and Communications
Integration Center, the sharing of information between government entities
and the private sector, and the federal workforce dedicated to
cybersecurity.

None address partisan issues that have held up legislation in the past,
including private-sector mandates, liability limitations to protect
private-sector organizations that share cybersecurity-related information
with the government, and a national data breach notification law.
Collectively, however, they may signal an increased willingness by Congress
to address those issues and others in the years to come.

* * * * * * * *

As an eventful 2014 concludes, we can assume that the “year of the breach,”
though a catchy phrase, will likely last a good deal longer.  The coming
2015 will almost certainly pose new cybersecurity challenges that attract
the focus of lawmakers and regulatory bodies alike.  Stay tuned.



The creativity employed by cyber criminals was matched only by the
creativity used to name their tools.  The “Heartbleed Bug,” for example,
threatened software that is widely used to encrypt certain web traffic,
including sensitive data.  The bug left exposed encryption keys and
information sent over the Internet that previously was thought encrypted,
including email, usernames, passwords, financial account numbers, and other
confidential data.  The bug may have allowed hackers to obtain this
information without leaving a trace.

“Backoff” malware allowed hackers to pilfer consumer payment information,
such as credit card numbers and the like, from point-of-sale terminals.
The hackers targeted what are known as remote desktop applications, which
allow you to access your work computer from home and companies to provide
centralized IT support to point-of-sale terminals in disparate locations
such as malls and retail stores.  The hackers used brute force techniques
to crack passwords and to access administrative and other accounts.  They
then deployed Backoff to acquire customer names, mailing addresses,
credit/debit card numbers, phone numbers, and email addresses.

“Shellshock,” an easy-to-exploit bug present in millions of computer
systems, allowed hackers to download and install malware; delete, modify,
or steal information; obtain administrative access; and disable systems.
Researchers also suggested that Shellshock was “wormable,” meaning that a
hacker could load a self-replicating worm on a few systems and watch it
replicate across the Internet.

Heartbleed, Backoff, and Shellshock were a worrisome trio in 2014, but they
were not alone and will surely give way to the discovery of new bugs and
malware in the coming year.

The Cybersecurity Framework

Leon Panetta once said that “[t]he next Pearl Harbor we confront could very
well be a cyber attack that cripples our power systems, our grid, our
security systems, our financial systems, our governmental systems.”  It is
with that potential in mind that the President directed the National
Institute of Standards and Technology (NIST) to develop a Cybersecurity
Framework for use by critical infrastructure organizations—i.e., those
organizations that maintain systems or assets that, if incapacitated or
destroyed, would have a debilitating impact on national security, economic
security, or public health.  Critical industries include transportation,
financial services, energy and utilities, government, and others, and their
importance to the national security and economy cannot be understated.

The Cybersecurity Framework, issued earlier this year, relies on recognized
industry standards to provide a mechanism by which companies can assess
their current and desired levels of security, and then to implement
measures to close any gap between the two.  While not yet a year old, the
Framework has attracted heavy industry attention and debate, with some
praising its potential effectiveness and others concerned that the
otherwise voluntary Framework will become mandatory or a de facto standard
of sorts against which companies will be judged.

DOJ Indicts Chinese Military Officers

The Department of Justice (DOJ) announced an indictment in May that accused
five Chinese military officers of hacking prominent businesses in the
United States in an attempt to steal trade secrets.  The indictment marked
the first time the United States has brought formal cybersecurity charges
against a state actor for state-sponsored hacking and signals the
government’s willingness to prosecute such actors in the current
geopolitical environment.  The case is currently pending in the Western
District Court of Pennsylvania.

Federal Agencies Increasingly Active

While DOJ made headlines on the criminal side, others made headlines on the
civil side.  The Federal Trade Commission (FTC) scored a major victory in
FTC v. Wyndham Worldwide Corp., a case that marks the first time a federal
court has upheld the FTC’s authority to bring enforcement actions against
private companies that allegedly engage in unreasonable data security
practices.  Likewise, the Federal Communications Commission issued a first
of its kind $10 million fine against two different telecommunication
carriers for alleged “unjust and unreasonable” data-security practices in
connection with phone services to low-income consumers, posing a new
liability risk to companies in that sector.

Wyndham Worldwide aside, many harbor doubts as to the authority of these
agencies to regulate corporate cybersecurity practices and will likely
continue to challenge such authority in court for the foreseeable future.

Congresses Passes Cybersecurity Legislation

The President recently signed into law five cybersecurity-related bills
that together represent the largest legislative package on the topic to
come out of Congress in more than a decade.  The laws address, among other
things, the creation of the National Cybersecurity and Communications
Integration Center, the sharing of information between government entities
and the private sector, and the federal workforce dedicated to
cybersecurity.

None address partisan issues that have held up legislation in the past,
including private-sector mandates, liability limitations to protect
private-sector organizations that share cybersecurity-related information
with the government, and a national data breach notification law.
Collectively, however, they may signal an increased willingness by Congress
to address those issues and others in the years to come.

As an eventful 2014 concludes, we can assume that the “year of the breach,”
though a catchy phrase, will likely last a good deal longer.  The coming
2015 will almost certainly pose new cybersecurity challenges that attract
the focus of lawmakers and regulatory bodies alike.  Stay tuned.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!