Corporate Hacks, after all the disasters in 2013 why are they
still happening?
2013 was an eye watering smorgasbord of cyber villainy, led
perhaps by the monster sized Adobe hack. 152 million user’s details including
credit cards, expiration dates and personal details where lifted from the Adobe
servers. The Target hack was a close second when 70 Million user’s credit
card details were stolen directly from point of sale equipment.
So! Did the corporate world learn from the 2013 tsunami of
digital criminality? Have companies rushed to install BlackBerry BES
Servers to secure emails; were cyber risk assessments commissioned on legacy
software? Were password protocols updated to include double authentication and
monthly password changes? Was the practice of allowing personal, unmanaged
computer equipment access to Company servers abolished? Was third party
access to corporate servers risk assessed? Has there been a widespread adaption
of staff cyber security training Etc. etc…
Judging by the increasing level of reported cybercrime, NO it wasn’t.
We have to ask why the hell not!
(Warning Anecdote)I recently had a conversation with a friend
while helping her connect her new shiny consumer smart phone to a work email
account. I mentioned while doing the small amount of work necessary that
the email server was unsecured. She was unconcerned and asked why anyone
would be interested in reading her emails. It is a fair question I suppose. I
asked her if she sends (multi million pound) contracts by email, she said yes,
of course. I asked what would happen if she lost her phone. She
said that could never happen. Unfortunately it happens quite a lot, there
were 15,000 phones reported lost on the UK London underground alone last year,
some from theft but most just left lying on seats. I suggested that if
she lost her phone then the finder/thief could put the financial stability of
her company at risk, it’s a very simple fact!
The above anecdote is just that, an anecdote, but it helps paints
a rather clear picture of the attitude of senior management in the corporate
world. The stock answer of “Who Knew” when the next big hack arrives is
getting tedious. The evidence seems to imply that senior managers appear
to believe that data theft is an inconvenient truth to be covered up rather
that a business
threat
Is there a cost to cybercrime?
What is the cost of cybercrime? Is security important or is it
just about a hygiene challenged kid in a basement getting his thrills by
tweaking “The Man”?
The actual figure is hard to pin down. The purveyors of
digital security would say over a trillion dollars per year. I never
believe people who judge their own case so I turned to the boring but diligent
UK Government for an answer. Apparently in the UK the cost of cybercrime
is around £27Bn or $42Bn per year in the UK ALONE! The 2013 Target hack in the US will
cost the company $127 Million and that’s before the court cases begin.
Since data moved from paper ledgers in the office to digital
connected storage it has become far less secure. Twenty five years ago we
would put paperwork in a safe or a locked office and know that unless a guy
with a crowbar broke in to the building information was safe. No one
except senior management was allowed to sign out paperwork (read data).
Now everyone with a smartphone or a laptop is a risk to business data.
The entire customer list of a business can be held on a smartphone.
Supply agreements can be held on a device, location history is stored so who
went where to do business is easily found. The loss of one smartphone
containing a list of customers could destroy a company
What Is the Cybercrime State of Play 2014
So! What have businesses learned from 2013? It appears
nothing. Below, in no particular order is a list of some of the bigger
hacks that featured this year.
1. SONY PICTURES
The attack on the film studio was so severe employees switched to
pen and paper.
What was leaked?
Hackers obtained over 100 terabytes of data ranging from movies,
employee passwords and credit card details to medical histories and executive
salary details.
Who did it and how?
A group known as ‘Guardians of Peace’ or ‘GOP’ claimed
responsibility for the attack. Fingers bizarrely have been pointed at North
Korea, Sam Glines, who runs the cybersecurity company Norse. Said "It's
clear to us, based on both forensic and other evidence we've collected, that
unequivocally they (North Korea) are not responsible for orchestrating or
initiating the attack on Sony. Experts now say the likely attackers were
helped by a Sony insider.
Alternate theories say the attack originated in the Russian federation.
The fallout
Ongoing
2. APPLE iCLOUD
This one gained a lot of attention due to the sensitivity of the
content that was released at the end of August.
What was leaked?
Hundreds of nude images of female celebrities obtained from
Apple’s iCloud service and released on 4Chan.
Who did it and how?
A 4Chan user who referred to himself as “a collector” tried to
sell the images privately before they were released. Reddit became a
primary source of distribution through the ‘TheFappening’ sub-reddit, which was
subsequently banned by admins. Images were also shared on Twitter. Celebrity
iCloud accounts are believed to have been accessed by using a combination of
simple brute force password attacks and by answering basic security questions.
The fallout
Although Apple has tried to reinvent the word Hack (unauthorised
access to a computer system) and steadfastly maintained it wasn’t hacked, there
is no denying that the private content was obtained from its iCloud service.
After the leaks, the firm did increase security. So, we can take from
Apples response that the iCloud is safe, but the content isn’t… hum! Okay
Apple now sends out notifications when requests are made to access
the iCloud through a web browser or restore data to a device.
3. JP MORGAN CHASE & CO.
America’s biggest bank was hacked.
What was leaked?
Details of 76 million US households and 7 million SMBs were
compromised. Stolen data included names, addresses, phone numbers and email
addresses.
Who did it and how?
Sources told Bloomberg that the origins of the hack could be
traced back to cybercriminals located in Russia, and even pointed to a possible
state co-ordinated attack. However, the perpetrators remain unknown.
The hackers are believed to have accessed an employee’s
account and used flaws in one
of the bank’s servers to use zero-day malware and gain access to the network and
manipulate records.
The fallout
Ongoing
4. THE GREAT CREEPY WEBCAM HACK
One of the creepiest hacks of 2014 came to light last month when
it was revealed that live feeds from ordinary people’s webcams were being
broadcast online.
What was leaked?
A Russian website called Insecam was found to be streaming live
video from thousands of webcams (excluding laptops) in a huge invasion of
privacy.
In the UK, around 584 webcams were originally available to view,
(135 as of writing) including feeds from offices, factories and even a pub in
Egham. At one point, children and babies could be seen sleeping.
Who did it and how?
According to Technical analyst Jaime Pepper "This hack was against webcams primarily from a company called Foscam that makes IP-based video cameras and there are several knockoff brands as well. The hack was from people not changing the default password of this and other major brands of IP cameras."
The fallout
The website is still up and running and provides a warning about
networked cameras. Users of such devices are urged to make sure they use a
secure password.
5. EBAY
Ebay had one of the biggest breaches of all time, when data of all
its users was stolen.
What was leaked?
Personal details including addresses, phone number and dates of
birth belonging to all 145 million customers were stolen.
Who did it and how?
Cyber criminals are believed to have compromised a small number of
employee log-in credentials. These were then used to gain unauthorised access
to eBay's corporate network.
The fallout
eBay was criticised for telling users about the hack two weeks
after it found out. However, despite sitting on news of the breach, the firm
claiming there was no evidence of increased fraudulent activity.
All users were advised to change their passwords after the breach
was made public.
The US states of Connecticut, Florida and Illinois joined forces
to investigate the company’s security policies, along with the country’s
Federal Trade Commission.
The UK data protection watchdog, the Information Commissioner’s
Office (ICO), initially said it would launch a probe into the breach. However,
after establishing eBay was registered as a data controller in Luxembourg, it
told IT Pro no further action would be taken.
In other words possibly the biggest hack of all time had a fallout
for eBay that is equal to NOTHING!
6. HOME DEPOT
The biggest retail breach to-date.
What was leaked?
The DIY super store group had 53 million email addresses and 56
million payment details stolen from its servers.
Who did it and how?
Unknown
The cybercriminals are believed to have one of Home Depot’s
supplier’s credentials to access Home Depot’s network. This was the same
Modus Operandi used in the Target Breach last year.
Zero-day
malware was then deployed on
Home Depot's self-checkout systems in the US and Canada, which gathered
customer payment details.
The fallout
Since the hack, Home Depot enhanced encryption of payment data in
all US stores and pushed out EMV chip-and-PIN technology, which has been used
in the UK since 2004.
What is the answer?
Businesses are being hacked daily, it’s a fact. What should
we do?
1. Install BES12,
the EMM gold standard to
manage emails and devices.
2. Train employees to recognise security
issues, create appropriate sanctions for non-compliance. (Take control)
3. Risk assess all systems rigorously,
assume they will be hacked and take action to PREVENT.
4. Spend money doing the above.
No comments:
Post a Comment