Data breaches, security vulnerabilities and stolen selfies: The top cybersecurity stories of 2014
It's been a very eventful year in the world of information security. Unfortunately, eventful is not usually good when it comes to hackers, vulnerabilities and data breaches! Security professionals around the world had their hands full with major incidents and short-notice patching operations in 2014.
As we look back across the major security events of the past 12 months, it is a good time to pause and reflect upon the lessons we learn from the misfortunes of others. The old adage remains true: "Those who fail to learn from history are doomed to repeat it." Study some of the major security blunders of the past year and you will decrease the risk of falling victim to them yourself.
Heartbleed breaks encryption around the world
April 2014 brought the disclosure of one of the most significant security vulnerabilities in the history of computing. Forbes columnist Joseph Steinberg called it "the worst vulnerability found ... since commercial traffic began to flow on the Internet."
What was the problem? Heartbleed is a flaw in the OpenSSL encryption algorithm used by many web servers that allowed attackers to retrieve portions of the servers' memory contents. Those memory contents could include all sorts of sensitive information stored and processed by the server including user passwords, credit card numbers, session cookies and more. An attacker could send a simple command to the server and force it send back information from the server's memory.
The security community reacted quickly and issued security updates for the OpenSSL library that closed the Heartbleed vulnerability. Unfortunately, the vulnerability had already existed for years, and many organizations were unable to determine whether their servers had fallen victim.
The lesson from Heartbleed? Patch, patch, patch! Make sure that you monitor security vulnerability announcements and apply vendor patches quickly. This is the only effective tactic to defend against many security flaws.
Sony Pictures systems invaded by attackers
As the holiday season began, the news filled with stories about an attack against Sony Pictures Entertainment. The Hollywood giant revealed that hackers gained access to its computer networks and sent extortion messages to studio executives demanding a ransom to prevent the release of sensitive information.
When Sony refused to pay the ransom, the hackers disclosed a massive amount of information that embarrassed the studio and disrupted its business. The releases included e-mail exchanges with comments involving celebrity behavior and the President of the United States, as well as Social Security numbers for studio employees and celebrities. Perhaps most devastating was the hackers' posting of unreleased films on the Internet for public consumption, perhaps depriving the studio of future revenue.
Pay attention to the ramifications of the Sony attack and learn a valuable lesson for your own business. If information is sensitive, encrypt it! Once hackers gain access to unencrypted sensitive information, it's gone forever.
Shellshock remains a major issue
The Shellshock vulnerability, disclosed in September, is a flaw in the Unix Bash shell used for command processing. Attackers exploiting the vulnerability gain the power to execute arbitrary commands on the targeted server. This is especially dangerous, as it effectively gives an attacker full control of a server, allowing the hacker to steal information, alter the server's configuration and take steps to avoid detection.
As with the Heartbleed vulnerability, the community reacted quickly and patches began to flow for the various systems affected by Heartbleed. While some system administrators quickly applied those patches, others were slower to react and some systems remain unpatched.
Shellshock underscored the lesson of Heartbleed and pointed out that many administrators failed to learn that lesson. Prompt patching is critical to system security.
POODLE puts the nail in SSL's coffin
Security professionals have warned IT teams against using the Secure Sockets Layer (SSL) web encryption protocol for years. All modern browsers now support the more current, more secure Transport Layer Security (TLS) replacement protocol. Until recently, this recommendation lacked urgency, bearing the tone of "You really should get around to this."
The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability quickly changed this story to "You'd better drop SSL right away!" Systems vulnerable to POODLE allow attackers to eavesdrop on encrypted communications between the server and remote users. While it is possible to repair the SSL vulnerability, most professionals recommend simply dropping SSL in favor of TLS.
The lesson from POODLE is a little more subtle than Heartbleed and Shellshock. In POODLE's case, most administrators ignored a long-held best practice because there was no active exploit. They then discovered how quickly failing to adopt a best practice can turn into an urgent security remediation effort!
Celebrity selfies from iCloud exposed
This September, news shows that typically focus on stalking celebrities suddenly took a brief and intense interest in cybersecurity. Why? Nude photographs of several celebrities surfaced on the Internet and the common denominator was that all of those celebrities stored the photos on Apple's iCloud service. The service, enabled by default on iOS devices, synced the celebrity photos to Apple's cloud servers without requiring explicit permission.
Apple vigorously defended its security practices, claiming that the iCloud servers were not compromised. Instead, they claimed, attackers directly targeted the celebrities' accounts, gaining access to their usernames, passwords and/or security question answers. The attackers then used this information to access sensitive information stored within the celebrities' accounts, including the automatically synced photos.
You can take away two lessons from this story. First, don't store nude photos (or anything else you don't want public, for that matter!) in a cloud service without encrypting them first. Second, ensure that all cloud services that you use employ strong access controls. If you rely upon security questions for a password recovery mechanism, make sure that they are questions that others who know you well can't answer!
Retailers struck again: Home Depot and Michaels fall victim
The year wouldn't be complete without stories of major retail security breaches. The media quickly swarmed over two major chains: DIY home improvement store the Home Depot and art supply store Michaels after they acknowledged security breaches. The circumstances were similar to those experienced by Target last year: Attackers gained access to internal systems that allowed them to harvest credit card numbers and other details about customer transactions.
Both chains likely failed to comply fully with the Payment Card Industry Data Security Standard (PCI DSS). This regulation spells out detailed requirements that merchants must follow when storing, processing and transmitting credit card information. The lesson here is clear for anyone handling regulated information: Compliance is essential. Failure to employ adequate security controls may result in legal action, fines and embarrassing news coverage.
The past year saw information security in the news very often and, undoubtedly, led to some uncomfortable moments for information security teams at the affected firms. As we look back upon the major security events of 2014, it is an excellent time to take stock of our own security controls. How would each of us fare if one of 2014's major attacks had targeted our firms? Are there similarities between the way pre-incident firms fell victim to these attacks and our own organizations? It's a great time to make a security New Year's resolution and improve the state of our own security programs!