A look at the breaches that happened in 2014 and the reasons behind these hacks; Lessons learnt and how organizations can improve data security and privacy for 2015.
2014 was a really bad year in terms of internet security. While cloud is becoming the go-to solution for enterprises to manage things more productively, cloud insecurity is still a big issue. We already talked about the breaches in various industries, including big names like Target, Michaels, Neiman Marcus, Universities, Hospitals, Hotels, etc, in 2014, let’s drill down on other breaches here.
A recent study shows data breaches has been the worst in 2014 and its only rising with cost of data breaches rising up to 25%. Debating over who to blame for these breaches is pointless, it’s not just hackers but our own carelessness as well.
What are the top reasons for Security Breaches?
- Human is the weakest link: Employees are the leading cause in data breaches.
- Weak Encryption
- Poor Key Management
- Weak/Stolen Passwords
- Lost/Stolen Devices
- Third Party Errors
Let’s classify these reasons into types of Data Breaches and have a look at breaches that took place in 2014:
DATA BREACHES: You Nasty!
Type 1: Lets go for Phishing!
According to an Infosecurity survey on spear phishing attacks, about 42% respondents said that they believe their organization was targeted by a phishing attack. A phishing attack is when victims are sent deceptive messages to trick you to land on a spoof page which asks for your data (Username, passwords, security numbers, etc). And according to another study, chances of such messages to lure users into opening them is about 45% out of which 14% people submit their info. I will let the numbers do the talks here.
The biggest example for such type of attack last year is JP Morgan.
The JP Morgan Breach:
Number of people affected: 76 Million
Reason: Obvious possibility it was a phishing scam
It was reported that the users registered with JP Morgan were directed to a spoofed webpage through an email, which contained an exploit kit. Once users input a username and password on the spoofed page, they were prompted to download a fake Java update that was actually malware.
How to avoid a Phishing Scam:
While it’s impossible for an organization to control such sophisticated phishing attacks on customers, its possible to educate them on phishing.
- Don’t login to bank website via a link from Emails.
- Use of Single Sign-on application can come in handy to avoid putting in credentials at spoofed login pages.
Type 2: Put the blame on others (3rd party vendors and apps)
Did you know that about one third of all the retail data breaches originated from third party vulnerabilities? That’s true. Your security could be excellent but do you trust your vendors when it comes to Data Security?
Lets have a quick look at Data Breaches in 2014 that originated from a third party vulnerability.
GoodWill Data Breach:
Number of people affected: 868,000 at 330 stores around 20 States.
According to forensic investigation, a third-party vendor’s systems had been attacked by malware, providing the attackers with access to the credit card data of several of that vendor’s customers. This affected around 10% of the Goodwill Stores and did not affect the internal systems at Goodwill.
Home Depot Breach:
Number of people affected: 56 Million
Hackers entered Home Depot’s network using a vendor’s username and password and deployed a malicious software which compromised email IDs of around 53 million users and Credit card information of 56 million.
Other companies affected by third party vendors: AutoNation, AT&T and Lowe’s.
We highly recommend you read this article stating solutions to avoid this type of Data Breach.
Type 3: I see your weakly encrypted Data and raise you a Breach: Weak Encryption, passwords and Poor Key Management
We all know how encryption is important. So a look at breaches in 2014 suggests its not just encryption, Strong Encryption along with strong key management, is what is more important. Encryption alone can not promise you an iron tight security.
The basic reason behind a breach is poor key management which an attacker can break to steal the keys for your encrypted data.
In almost all the data breaches that took place in 2014, the hackers gained access to encrypted files containing user/company information. Exception being Sony where the username and passwords were stored in unencrypted files. The numbers say there were hardly 1% of data breaches where the data was strongly authenticated or encrypted.
Whatever the case be, it has become easier for hackers to surpass encryption methods used these days.
2014 has clearly shown that there is a need of strong encryption method in the industry. The California Healthcare Data Breach report says 70% of breaches involving the California healthcare industry were due to unencrypted data on lost or stolen hardware or portable media, a problem that strong encryption would fix, according to the latest data breach report from the state’s attorney general. Only 19 percent of such breaches occurred in other industries.
Sony suffered two major breaches in 2014, back to back, the employee data breach being the worst. The hackers revealed the employee username and passwords that were stored in an unencrypted file along with other files including digital copies of films that were unreleased.
In our previous blog we reported on everything you need to know about Sony hack.This blog also outlines the measures you should take to avoid such an attack.
iCloud Celebrity Hack:
Mid 2014, the internet was broken down with leak of some highly compromising pictures of big celebrities. Hackers managed to break into the icloud accounts of celebrities leaking their unencrypted data, majorly personal images.
The topic became a hot one for debate and we covered most of it here where you can learn how this hack revealed the darker side of the Cloud.
Type 4: The fault in our Web
The very basic of cloud security comes from Secure Socket Layers that is used to secure the traffic on the internet. The socket layer encryptions are used for all the transactions happening between the internet user and the internet server. Vulnerability in this layer of security affects the widest range of users of the internet. 2014 was a horrible year for breaches into this very basic security system. First Heartbleed, then Shellshock and later came Poodle.
Heartbleed: Bug in TLS Heartbleed implementation
Heartbleed bug existed for more than 2 years on the internet with the release of OpenSSL version 1.0.1 because of a basic programming error which exposed a chunk of 64K size of data which is big enough to expose the private keys used for encryption. So everyone, that is one third of the internet traffic, using OpenSSL were left exposed for 2 years only to be fixed in the latest version of OpenSSL.
This is a family of Security Bugs in Unix BASH(Bourne Again SHell), the Shell used for evaluating and executing commands from users and other programs. When used in web server deployment, this bug can allow an attacker to gain unauthorized access to a computer system.
A catchy name, POODLE was a bug affecting SSL encryption technology. When exploited by an attacker, it tricks computers to give sensitive data which could give the hacker access to your web applications, social accounts and Email accounts.
These vulnerabilities were the most widespread and even though not very severe, it could have been a nightmare for companies in the cloud if an attacker exploited these bugs to hack.
Looking at the above examples from 2014, can we expect for a more secure 2015? I would say probably No. There will be more breaches and there will be more vulnerabilities that hackers exploit. The only thing to do for staying secure is to be prepared and take every Security measure possible to avoid these breaches as much as possible. Preventing a Data Breach to happen is like avoiding the inevitable.
If you liked this summary on Data Breaches in 2014, please share with others and comment and let us know what do you think about 2015 as a year of Security Breaches?