2016 was not a great year for security, at least where high-profile breaches, hacks, and data leaks were concerned. The year saw yet another laundry list of big-name companies, organizations, and websites hit with distributed denial-of-service (DDoS) attacks, huge caches of customer data and passwords hitting the black market for sale to the highest bidder, and all manner of malware and ransomware intrusions.
Continue Reading Below
There's plenty that businesses can do to mitigate these risks. You can, of course, invest in an endpoint security solution, but it's also important to follow data security best practices and make use of available security frameworks and resources.
Nonetheless, 2016 saw LinkedIn, Yahoo, the Democratic National Committee (DNC), and the Internal Revenue Service (IRS) thrust into the spotlight in the wake of cataclysmic attacks and breaches. We spoke to Morey Haber, Vice President of Technology at vulnerability and identity management provider BeyondTrust about what the company considers the five worst hacks of the year—and the critical lessons businesses can learn from each.
The fallen internet giant had a historically bad security year to complement its sagging financials, snatching defeat from the clutches of victory after a string of high-profile breach disclosures and customer data leaks left Verizon scrambling to find a way out of its $4.8 billion acquisition. Haber said Yahoo breaches can teach businesses three valuable lessons:
- Trust your security teams and do not isolate them.
- Do not put all your crown jewels in one database.
- Follow the law and ethics for proper breach disclosure.
"It's the first time a major corporation, up for sale, was double-dipped for a breach in one year, and holds the title for the largest breach ever for a single company," said Haber. "What makes this even more compelling as the worst breach of 2016 is the breach occurred three years prior to public disclosure and the second breach was only discovered due to forensics of the first breach. Over one billion accounts in total were compromised, representing to all companies on how not to manage security best practices within your business."
2. Democratic National Committee
In the most infamous security breaches of election season, the Democratic National Committee (DNC) was hacked on more than one occasion, resulting in emails from officials (including DNC chair Debbie Wasserman Schultz and Clinton campaign manager John Podesta) leaking through WikiLeaks. In hacks that US officials have traced back to the Russian government, Haber pointed to guidelines and recommendations from the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) that could have mitigated the DNC's security vulnerabilities:
- Guidelines for privileges, vulnerability assessment, patching, and pen testing all exist in established frameworks such as NIST 800-53v4.
- Agencies need to do a better job of implementing established frameworks (such as the NIST Cybersecurity Framework) and measuring their success.
"The FBI and DHS has released a document outlining how two Advanced Persistent Threats [APT 28 and APT 29] used spear phishing and malware to infiltrate the US political system and provide covert operations to tamper with the US election process," said Haber. "The blame is squarely aimed at a nation-state attack, and recommends steps all government and political agencies should take to stop this type of intrusion. The problem is, these recommendations are nothing new, and form the basis for security guidelines already established from NIST."
2016 was the year that we finally witnessed the magnitude of cyberattack of which a global botnet is capable. Millions of insecure Internet of Things (IoT) devices were swept into the Mirai botnet and used to massively overload domain name system (DNS) provider Dyn with a DDoS attack. The attack knocked out Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and a ton of other major websites. Haber pointed to four straightforward loT security lessons that businesses can take from the incident:
- Devices that cannot have their software, passwords, or firmware updated should never be implemented.
- Changing the default username and password is recommended for the installation of any device on the internet.
- Passwords for IoT devices should be unique per device, especially when they are connected to the internet.
- Always patch IoT devices with the latest software and firmware to mitigate vulnerabilities.
"The Internet of Things has taken over our home and corporate networks, literally," said Haber. "With the public release of the Mirai malware source code, attackers created a botnet that [leverages] default passwords and unpatched vulnerabilities to create a sophisticated worldwide botnet that can cause massive DDoS attacks. It was used successfully multiple times in 2016 to disrupt the internet in the US via DDoS against the DNS services provided by Dyn to telecoms in France and banks in Russia."
Changing your passwords frequently is always a smart idea and that goes for your business and personal accounts. LinkedIn was the victim of a major hack in 2012 that leaked publicly late last year, as well as a more recent hack of its online learning website Lynda.com that affected 55,000 users. For the IT managers setting business security and password policies, Haber said the LinkedIn hack comes down largely to common sense:
- Change your passwords frequently; a four-year-old password is probably just asking for trouble.
- Never re-use your passwords on other websites. That four-year-old breach could easily lead to someone trying that same password on another social media website or email account and could compromise other accounts simply because the same password was used in multiple places.
"An attack over four years ago was publicly leaked in early 2016," said Haber. "Users that had not changed their passwords since then found their usernames, email addresses, and passwords publicly available on the dark web. Easy pickings for a hacker."
5. Internal Revenue Service (IRS)
Lastly, Haber said we can't forget about the IRS hacks. These happened twice, in 2015 and again in early 2016, and affected critical data including tax returns and social security numbers.
"The attack vector was against the 'Get Transcript' service, used for everything from college loans to sharing your tax returns with authorized third parties. Due to the simplicity of the system, a social security number could be used to retrieve information and then create fake tax returns, amounting in a refund and [funds being forwarded] electronically to a rogue bank account," explained Haber. "This is noteworthy because the system, like Yahoo, was breached twice, fixed, but still had severe flaws that allowed it to be breached again. In addition, the scope of the breach was grossly underestimated, from early accounts of 100,000 users to over 700,000 in the end. It is unknown if this will surface again for 2016 returns."
Haber pointed to two core lessons that businesses can learn from the IRS hacks:
- Penetration testing fixes are crucial; just because you fixed one flaw does not mean the service is secure.
- Forensics is critical after an incident or breach. To have a seven-fold magnitude of order on the number of accounts affected indicates that no one really understood the scope of the problem.
"For 2017, I think we will expect more of the same. Nation-states, IoT devices, and high-profile companies will be the focus of breach reporting," said Haber. "I believe there will be an uptick of coverage on privacy laws governing IoT devices and the sharing of information contained within them. This will cover everything from devices like Amazon Echo to information flowing from EMEA [toward] the USA and Asia-Pacific within companies."