There’s no arguing that 2015 was a record year in data-breaches and hacks. Both in quantity and quality, the cyber-attacks we witnessed last year outmatched those of 2014 (which itself was a shocking year in data-breaches), hitting anything and anyone ranging between high-profile and ordinary.
As we take our first steps into 2016, it is good to stop and ponder on what went wrong in 2015. Here’s a look at how some of the worst hacks in past year could have been prevented, or at least lessened in damage.
Security is a proactive practice, not a reactive one
Many organizations and firms make the mistake of thinking about gaping security holes after a data-breach takes place, not before it does. But by then, the damage is done and there’s no turning back.
This was certainly the case with giant toymaker VTech, which was hacked in mid-November, resulting in the theft of personal information belonging to 5 million users, including the names, genders and birthdays of more than 200 thousand kids.
VTech was breached through a SQL injection attack, one of the oldest – but most effective – tricks in hackers’ books, which involves sending malicious commands to servers through website forms. Had the company adopted measures to regularly test the sufficiency of their security against real-world threats, this vulnerability could have definitely been detected and fixed before the attack took place.
What’s worse, a deeper look into the VTech breach showed how unprepared the company was. Websites and databases with root access to servers, weakly-encrypted passwords, account-recovery questions stored in plain text and the transfer of sensitive information over insecure channels are just some of the facts that prove VTech hadn’t taken the most trivial security best practices seriously at all.
Luckily for VTech, the hacker who breached its systems didn’t publish the stolen data. But the blow to its reputation was enormous nonetheless. If other companies wish to avoid going through the same nightmare, they should understand that security practices are not negotiable and are a caveat to doing online business. Therefore they should make penetration testing, tabletop breach exercises, regular training of staff and updating data breach response plans part of their daily work.
You might be hacked and not even know it
Not all hackers reveal their intentions after they breach into a system, especially if they need time to collect and exfiltrate sensitive information from their victims. Some hacks even take months and even as long as a year to be completed.
Last April, authorities at the U.S. Office of Personnel Management (OPM) detected an ongoing breach in their networks that may have been ongoing for many months, or even longer, and hackers – allegedly tied to China – may have had a free run of their networks during this period. The hack, which became known as the “biggest breach in U.S. history,” involved the theft of sensitive information belonging to 21 million U.S. federal employees, including fingerprint data for more than 5 million people.
The breach was discovered by chance, after KeyPoint, one of OPM’s contractors, was compromised in 2014, which led the OPM to get outside help from the Department of Homeland Security and other agencies to scan its networks for traces of similar hacks. And that’s when traces of malicious activity were first detected.
The IT security standards – which were very poor to begin with – involved waiting for some extravagant sign before sounding the alarms, while the attackers were clever and resourced enough to disguise their activity as normal traffic after gaining a foothold in the system. Had the security staff run regular checks of the processes running in their systems, they might have been able to discover the malware installed in their servers earlier.
The lesson to take away is, it’s a good practice to always check for signs of intruders trying to infiltrate your networks, but you also have to continually look for signs of intruders already in your system.
Never place your bets on a single security tool
This is yet another lesson to learn from the OPM hack: No matter how strong a security tool might be, always prepare yourself for the day it gets circumvented by hackers. In the case of OPM, the agency relied on the $4.5 billion Einstein cybersecurity tool, a technology sitting astride the government trusted gateways, tasked with active attack prevention through deep packet inspection. But the tool proved to be incapable of catching the tactics employed by state-sponsored hackers.
Once they got past Einstein, hackers had a plethora of attack vectors and vulnerabilities to choose from, which could be found in the outdated and flawed software and operating systems deployed on network machines. The situation was only exacerbated by lack of encryption software in some of the critical systems and weak credential distribution policies.
Intrusion detection systems such as Einstein are great for stopping attacks that have been seen before, but not against zero-day attacks, and placing the entire network’s security into their hands is a losing bet. Such systems should be used as complementary to other tools and security best practices.
In fact, the OPM had been warned about the material weakness in its security practices by the OPM Inspector General (IG) office as far back as 2007. But those warnings were not heeded properly and the necessary steps to mitigate risks were not taken. The extent of the damage dealt by the hack is still not known.
Don’t place all your eggs in one basket
When you collect a large amount of data, especially if it involves sensitive information, you should always take care not to store it all in one location. Although having data gathered in one location can make reporting and analytics tasks easier, it will also make it easier for hackers to rob you blind by obtaining access to a single database server.
2015 was the year of healthcare data breaches, but the worst case by far was that of Anthem, the health insurer billed as the second largest in the U.S. In early February, the agency came forward with the news that it had been the victim of a cybertheft attack, which involved personal information belonging to about 80 million people, including names, birthdates, Social Security Numbers and other sensitive information.
Although the attack was carried out through phishing scams and by taking advantage of weak logging mechanisms implemented by the health insurance agency, one of the main reasons the attackers managed to get away with so much data was the fact that all of the company’s records were kept in a single database.
Another noteworthy case was that of Ashley Madison, the cheating website that lost 37 million user records to a data-breach in July. The hackers – who dubbed themselves as Impact Team – had an easy time downloading user account information because they had to download it from a single database.
Splitting data in separate locations could have slowed the hackers down and lessened the effects of the data-breaches in both cases.
Encrypt sensitive information and communication
Data encryption is nothing new, but unfortunately, much of the success attributed to data-breaches in 2015 was due to the fact that the victims had either neglected encrypting sensitive customer information, or had done so using very weak methods and algorithms.
VTech, for instance, had used the easily-hackable MD5 algorithm to encrypt user passwords, and account recovery information was stored as plain text, effectively leaving the whole set at the mercy of the attackers.
The same can be said about Anthem, which had stated to use “state-of-the-art information security systems” to protect customer data, but had refrained from encrypting Social Security Numbers and birthdates, two pieces of information that are invaluable to identity thieves.
Communication channels as well are being ignored as possible attack vectors, and many of the victims were transferring data over unencrypted channels, or by using outdated and vulnerable protocols.
VTech didn’t use SSL encryption anywhere on its websites, which means all sensitive data such as passwords were being transmitted unprotected. This effectively means that you don’t even need a data-breach to steal information and only have to eavesdrop on the site’s traffic.
In the OPM case, at least one of its web portals was using TLS 1.0, an obsolete crypto protocol that is open to attacks.
In each case, using encrypted data and encrypted communication channels could have minimized the effects of the attack or made the breach irrelevant by rendering the obtained data undecipherable and thus unusable to the hackers.
Respect customers’ privacy
Another important issue to consider is not storing excessive and unnecessary information, which could minimize damage to customers in case a data-breach does occur.
Ashley Madison had offered a service that supposedly allowed users to completely wipe their profiles for a $19 fee, a service with which the company netted $1.7 million in 2014. But the hackers that breached the site proved the service to be a lie, and they also published credit card payment information, which revealed real names and addresses of users. Regardless of the nature and intentions of the site’s users, the company had made a commitment to protect their privacy, on which it failed to deliver.
In the aftermath of the data being spilled across the internet, several of the desperate victims committed suicide and others were subjected to blackmail. The company itself was hit by several lawsuits for having failed to protect customer data, and Noel Bidderman, its CEO, resigned in August.
The VTech hack revealed the company stored a large amount of headshots and chat logs from parents and children. It wasn’t clear why the company store all this data in the first place, and why they hadn’t considered the impact its theft could have on their customers. The fact that such data could have found its way into the hands of malicious parties left the customers furious, and the company came under the scrutiny of several state attorney generals in the U.S. for its compliance with children privacy protection laws.
Companies should be careful about what they store on their servers and how long they store it for. You can protect your customers and save yourself quite a few headaches by minimizing the amount of data that can be pilfered in case of a data breach.
2016 will no doubt have its own set of significant hacks and data breaches. More zero-days will emerge, tech companies will make major blunders, sites will be hacked, keys will be stolen, and disgruntled employees will turn on their bosses. But by learning from previous mistakes, we can guarantee to provide a safer future for our users and customers and at least prevent history from repeating itself.