It’s hard to imagine how 2014 could be surpassed as the worst year for massive identity theft and data loss exposures.
The news developments of 2014 were relentless and mind-numbing. Heartbleed and Shellshock rose to the fore as two of the nastiest Internet-wide vulnerabilities ever to come to light. Heartbleed exposes the OpenSSL protocols widely used by website shopping carts. And Shellshock enables a hacker to take control of the module used to type text-based commands on Linux, Unix and Mac servers.
“These are problems in the very fabric of what the Internet is built on,” says David Holmes, security evangelist at F5 Networks.
Meanwhile, Target, Nieman Marcus, Dairy Queen, Home Depot, JP Morgan and SonyPictures led a parade of organizations disclosing major data breaches. Indeed, the tally of data breaches made public in the U.S. hit a record 783 in 2014, nearly 30% higher than in 2013, according to the the Identity Theft Resource Center.
“The ubiquitous nature of data breaches has left some consumers and businesses in a state of fatigue and denial about the serious nature of this issue,” says Eva Velasquez, chief executive offer of the ITRC.
The scary part
Now here’s the scary part: The pace hasn’t slowed in the first few weeks of 2015.
Consider that the financial services sector has spent billions over the past decade on the best defensive technologies and systems money can buy. Yet a low-level Morgan Stanley financial adviser was able to exfiltrate account records, including passwords, for six million of the Wall Street giant’s clients.
Meanwhile, forensic analysts at Dell SecureWorks recently uncovered a novel strain of malware circulating deep inside a corporate network. It’s being referred to as a “skeleton key.” With a skeleton key an intruder can fool the authentication protocols on widely used Microsoft Active Directory systems by typing arbitrary passwords. This enables the attacker to do such things as gain unfettered access to webmail and virtual private networks (VPNs).
“It’s much easier to be an attacker than a defender,” observes Jeff Williams, director of security strategy for Dell SecureWorks’ Counter Threats Unit. “As a defender, you must protect all paths of access, whereas the attacker only needs to find one foothold from which to mount an intrusion.”
If nothing else, the headlines of 2014 should grab the attention of company owners, directors and senior executives. No one wants to make it to the ITRC’s list of U.S. breaches for 2015.
But small and medium-sized businesses (SMBs) should pay heed as well, says William Klusovsky, a security specialist at NTT Com Security. SMBs should grasp that they are part of a wider supply chain and that modern day cybercriminals are intensively hunting for all weak links, he says.
Small business owners should “understand your businesses processes, be aware of your risk profiles and be able to explain that to your partners,” Klusovsky advises. “And then within reason implement the protections you can afford.”
A good place to start, for companies of any size, is to step into an attacker’s shoes, Dell SecureWorks’ Williams says. “Identify paths of entry and put mitigations in place, whether that be two-factor authentication, removing unneeded services, implementing, monitoring or training staff,” Williams says.
Security consultants can be valuable guides, and third-party managed services can do the day-to-day heavy lifting. But the due diligence must come from the business owner.
The business owner should plan to “remain engaged and active in the conversations with that security service provider,” Williams says.
Over time, all business owners need to develop some level of skill about security policies and procedures and look to infuse that knowledge into the company’s infrastructure.
See more at Third Certainty