As the holiday of all things scary and spooky inches closer, now’s a timely opportunity to talk about some of the scarier cyber security and nightmare scenarios from this year.
As FBI chief James Comey noted in a recent Inside Counsel article, regarding the threat of global government-supported hackers, there are two kinds of big companies in the U.S. “Those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.” On October 15 the FBI issued a “flash warning” alert to U.S. companies, citing “a group of Chinese government affiliated cyber actors who routinely steal high-value information from U.S. commercial and government networks through cyber espionage.”
The spookiest thing may be that a customer-facing organization is far more likely to be hacked successfully multiple times than an individual is to spot a ghost (on Halloween or otherwise). One can argue there are two kinds of businesses: Those who have suffered a data breach and those who will suffer a data breach.
Cyber attack targets: whose network is in for a haunting?
The top five industries under attack this year, listed by security incident attacks, according to the IBM Security Services 2014 Cybersecurity Intelligence Index, are
- Finance and insurance (23.8 percent)
- Manufacturing (21.7 percent)
- Information/communications (18.6 percent)
- Retail/wholesale (6.2 percent)
- Health and social services (5.8 percent)
In 2013 more than 500 million personal data records were stolen, with an average $145 cost per record and the average cost of a single breach hitting $3.5 million, according to the IBM report.
Earlier this year a Ponemon study, polling IT and security professionals, revealed 72 percent acknowledged a data breach in the past 12 months and 57 percent expect their company to experience a breach within the next 12 months.
If that’s not creepy enough this tidbit will surely make the hair on the back of any retail network IT staffer’s neck stand up: 45 percent of U.S. shoppers intend to avoid holiday shopping at stores hit by data breaches in the past year, according to a CreditCards.com report.
That doesn’t bode too well for retailers like Supervalu, which has been hacked twice in 2014 alone.
Busting security bogeymen: opportunities for cyber security experts
While the trend toward more frequent cyber attacks paints a gloomy picture for organizations, it presents a potential opportunity for people who’re interested in getting into the cyber security industry. After all, more data security risks = greater need for data security experts, right?
Current industry trends seem to support as much. The U.S. Bureau of Labor Statistics projects that employment for information security analysts is projected to grow at 37 percent from 2012 to 2022, considerably faster than the average for all careers in the U.S. That considerable growth rate is attributed to the aforementioned uptick in cyber security attacks. The top industries employing security analysts include computer systems design, securities and comedy contracts brokerages and credit institutions.
So in the spirit of Halloween, and in celebration that October is National Cybersecurity Awareness Month, here is a look at 10 high-profile cyber security news headlines this year, in random order, detailing some of the more frightening impacts of cyber attacks and the potential implications for people working in the IT security sphere.
The double haunting: Supervalu
Retailer/wholesaler of foods’ network was hit between June 22 and July 17, the official announcement of the breach was made in August. Supervalu said there was no indication cardholder data was taken or misused. A second computer network intrusion was reported to have taken place in August. This time the hackers may have been successful in gaining access to account numbers and transaction data, but Supervalu said it couldn’t confirm if card data was stolen.
- Spook: Forcible xenomorph invasion — malware plant
- Fallout: The company took a double hit on brand, suffered costs for enhanced technology to stop such malware threats and customers were offered 12 months free consumer ID protection service.
Takeaway for IT security professionals: There’s no such thing as a grace period after a data breach, minor or major. The spook-factor here is in
The ghost in the point-of-sale machine: Kmart
The discount retail chain reported lost debit and credit card data from a hack in September that was discovered in early October. Store payment systems were infected with an ever-so-ghostly type of malware that went undetected.
- Spook: Unsolved Mystery — remains unknown
- Fallout: The retailer admits certain debit and credit card numbers were compromised but no personal info or social security numbers were taken and there is no evidence customers have been negatively impacted. It is offering free credit monitoring protection and deploying advanced software to prevent further intrusions. It issued a full release complete with an apology.
Takeaway for IT security professionals: Digital supply chains matter. The vector for the Kmart attack was through point-of-sales hardware (i.e., cash registers), which were supplied through a vendor who reported similar breaches being suffered by multiple clients.
The case of the poltergeist checkout page: eBay
The online auction site was one of the most severely hit with 145 million customer accounts hacked in the spring. The attack was the result of cross-site scripting, a stealthy exploit that redirects users to “spoof” sites mocked up to resemble a legitimate checkout page where they’d divulge sensitive billing information.
- Spook: Unsolved Mystery #2 — remains unknown
- Fallout: EBay claims no social security or account numbers were taken, but it’s likely that hackers gained access to certain user data including encrypted passwords, email, birth dates and addresses. The brand impact and potential costs of divulging customers’ stolen contact info could lead to a second round of exploits with hackers opening accounts with the names of affected users.
Takeaway for IT security pros: Response time is important. EBay has taken criticism for only resolving the exploit more than 12 hours the first user report. Helping to maintain a highly responsive IT security apparatus is especially important in an organization with a major client-facing aspect like eBay.
The scariest miscommunication: Target
Target was a major hacking victim in late 2013 during the holiday season with a reported 40 million card accounts compromised in a cyber attack. While suspicious network activity was detected ahead of time, an alleged snag in the lines of communication led to no preventative action being taken.
- Spook: The Winchester Mystery Office — unknown, reports indicate hack was through refrigeration and air conditioning supplier’s network access.
- Fallout: Target reportedly suffered a monetary loss of $148 million, resignation of CEO Gregg Steinhafel.
Takeaway for IT pros: Lines of communication to and from IT security matter. In covering the Target breach, Businessweek described a cascading series of red flag alerts that, at some point, hit a stone wall. Target’s custom-built FireEye security tool allegedly detected suspicious activity and elevated it up to the company’s India-based security team, who then elevated it to the lead security center in Minneapolis. It’s at this point that the security reaction allegedly goes dark. While the facts are still being hashed out, it seems pretty clear that some kind of major internal miscommunication happened here.
The scariest ghost no one paid much attention to: Home Depot
This information system breach occurred sometime between April and September, impacting 56 million consumers’ payment card data across the retailer’s North America and Canada locations.
- Spook: Unsolved Mystery #3 — remains undetermined
- Fallout: Major media attention (though less intense than some anticipated based on the severity of the attack) and costs to alert customers on various sites, including credit union sites, regarding the fraudulent unauthorized access to payment card data that may have impacted customers making credit and debit card purchases.
Takeaway for IT pros: The size of the media response is not directly proportional to the seriousness of the data breach. MarketWatch has described the mainstream response to the Home Depot breach as “a big fat yawn in many circles.” Whatever the reason for the indifference, it doesn’t mitigate the fact that this was an attack worse even than Target’s, with approximately 56 million cards compromised through Home Depot payments systems.
Third-party vendors spread the cyber security infection: JP Morgan Chase
August brought on unofficial reports of attacks against several big financial institutions. JP Morgan went public on October 2, reporting to the Securities and Exchange Commission that its systems had been hacked and user contact data breached, affecting approximately seven million small businesses.
- Spook: The demon of avarice — remains unknown, though security investigators believe it may have been a collaborative strategic attack aimed at several financial companies.
- Fallout: A lot of negative brand impact in addition to the potential expense of providing affected clients with financial data monitoring services.
Takeaway for IT pros: You’re only as secure as your most insecure vendor or contractor. Regardless of how much time and money JP Morgan might have invested into having its IT security team build up its own internal data security practices, the fact that a complex organization like a financial institution has to interact with smaller vendors on a regular basis means a multitude of far less secure security setups interfacing with yours.
The case of the disappearing account data: Gmail
The Google email system was breached sometime in September with the details of about 5 million accounts cryptically posted on a Russian Bitcoin Security Forum. While a lot of the data was old, the breach was an eerie wake up call, and Google reached out to all potentially compromised users and issued a notice to change account passwords.
- Spook: Unsolved Mystery #4 — remains undetermined
- Fallout: The costs associated with doing blast outreach to affected consumers, issuing public alerts regarding the breach and redoubling efforts to shore up accounts with better security.
Takeaway for IT pros: Those annoying routine security policies – like updating one’s email password every quarter (at least) – are actually important. While there’s not much a network security team can do about Google getting hacked if the organization happens to use Gmail, it makes it especially important for an IT security expert to be the gadfly when it comes to getting everyone to keep up with data security policies (CEO included).
Social engineering and the monster within: Korea Credit Bureau
A hack impacting 20 million client accounts at the start of 2014 put clients’ personal data at risk, including user addresses and account numbers at banks partnered with KCB. Approximately 104 million card numbers were compromised.
- Spook: The demon of the disgruntled workforce — KCB employee who, over the course of 18 months, copied customer client data via an external hard drive.
- Fallout: This social engineering snafu resulted in the resignation of three top KCB executives.
Takeaway for IT pros: Social engineering is one of the major vectors for serious attack. While a lot of the cases in this list are examples of attacks from external actors, the KCB case is like IT security’s worst-case social engineering scenario – huge amounts of client data slipping past the confines of the organization’s security network through a lone employee with a USB device.
FDA issues scary security alert
The Food and Drug Administration has issued a warning to medical device manufacturers, hospitals, medical device user facilities, health care technical staff and biomedical engineers that it has “become aware of cyber security vulnerabilities and incidents that could directly impact medical devices or hospital network operations.” The federal agency recommends safeguards be established given potential vulnerability as attacks could impact pacemakers or defibrillators connected to networks vulnerable to hackers.
“Supervalu suffers second data breach,” FierceRetail, September 30, 2014, http://www.fierceretail.com/story/supervalu-suffers-second-data-breach/2014-09-30?utm_medium=nl&utm_source=internal
“Almost Half of Americans Likely to Avoid Retailers Affected by Data Breaches,” October 20, 2014, http://www.prnewswire.com/news-releases/almost-half-of-americans-likely-to-avoid-retailers-affected-by-data-breaches-279762072.html
“FBI warns U.S. businesses of cyber attacks, blames Beijing,” October 15, 2014, http://www.reuters.com/article/2014/10/16/us-usa-cybersecurity-china-idUSKCN0I42MU20141016
“IBM infographic: 2014 Cybersecurity Intelligence Index – United States,” IBM, October 22, 2014, http://www-935.ibm.com/services/us/en/it-services/security-services/2014-cyber-security-intelligence-index-infographic/
“Kmart Investigating Payment System Intrusion,” Seeking Alpha, October 10, 2014, http://seekingalpha.com/pr/11289695-kmart-investigating-payment-system-intrusion
“Cybersecurity And The Danger Of Ostriches In The Boardroom,” Forbes, October 2, 2014, http://www.forbes.com/sites/dinamedland/2014/10/02/cyber-security-and-the-danger-of-ostriches-in-the-boardroom/
“Businesses spend less on cybersecurity despite rise in attacks,” Financial Times, September 30, 2014, http://www.ft.com/cms/s/0/1f8d1436-45c9-11e4-ab10-00144feabdc0.html#axzz3G7y2NXyK
“FDA Issues Warning of Potential Cyber Attacks on Medical Facilities, Devices,” Israel International News, October 13, 2014, http://www.israelnationalnews.com/News/Flash.aspx/306304#.VD0xD1f4VjM
“The top 5 largest cyberbreaches of 2014 (for now),” Inside Counsel, October 9, 2014, http://www.insidecounsel.com/2014/10/09/the-top-5-largest-cyberbreaches-of-2014-for-now?page=2
“Cybersecurity Woes Continue to Haunt Companies,” Bidness Etc, October 13, 2014, http://www.bidnessetc.com/27123-cyber-security-woes-continue-to-haunt-companies/2/
“Organizations Blind to Location of Sensitive Data Says New Research Report,” Informatica, June 24, 2014, http://www.informatica.com/us/company/news-and-events-calendar/press-releases/ponemon-data-centric-security-research-report-2014.aspx#fbid=StU4HVqh-4l
“Target Missed Warnings in Epic Hack of Credit Card Data,” Businessweek, March 13, 2014, http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
“South Korean credit card firms suspended over data breach,” ZDNet, February 17, 2014, http://www.zdnet.com/south-korean-credit-card-firms-suspended-over-data-breach-7000026406/
“Cybersecurity report: All countries lag behind the bad guys,” InfoWorld, January 31, 2012, http://www.infoworld.com/article/2618661/cyber-crime/cyber-security-report — all-countries-lag-behind-the-bad-guys.html
“Information Security Analysts,” U.S. Bureau of Labor Statistics, October 22, 2014, http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm#tab-1
“National Cybersecurity Awareness Month 2014,” Department of Homeland Security, October 2, 2014, http://www.dhs.gov/national-cyber-security-awareness-month-2014