I do not exaggerate when I say that it is only a matter of time before your company has to deal with a targeted attack, if it has not yet. In 2014, we saw many victims grapple with an invisible enemy. A very big and recent example of this is the Sony attack which caused a lot of problems from the company, as well as the leakage of a lot of data. As threat defense experts, we strive to make the invisible visible: what are the most important things you should have learned from the cyber-attacks in 2014? What lessons can we bring into 2015?
Secure your data in the cloud
Accountability for cloud computing security became very clear in 2014. Cloud computing is a powerful capacity extender that is increasingly adopted by small, medium, and very large enterprises alike. And while users can expect a certain level of security under the “shared responsibility” model — such as in the way cloud service providers run cloud services and infrastructure including physical hardware and facilities — users must not forget that access to data in the cloud can be wholly compromised at their end.
In what turned out to be a prevalent “developer bad habit” discovered in March, for instance, thousands of secret keys to private accounts were found to be accessible in GitHub, a code-sharing site. This is the equivalent of having consumer user names and passwords leaked in public forums. In some ways this is even more critical, since the exposure of the keys mean that thousands of secret company documents, applications, software can be accessed by threat actors. And since the intruder will essentially log in as the developer, he/she can wipe out entire environments or hold them hostage.
In a much more fatal example, Code Spaces had to close down in 2014 after an attacker gained access to its control panel account and started deleting customer databases indiscriminately. For a business whose nature relies so strongly on software services, “paranoid security” should be a foregone conclusion. Cloud services have two- or multi-factor authentication options, completely private modes, or identity-/role-based management that can greatly reduce or make intrusions like this much more difficult for attackers.
IT admins must review and implement various cloud security options for their cloud environments now.
The Codes Spaces incident also holds a spillover but equally important lesson for companies doing business in the cloud: to regularly back up cloud data because you never know what can happen out there. 3-2-1 is a best practice for good reason, the value of which only becomes obvious once said data is in danger of being gone forever.
Secure your critical systems
Any device that connects outside of itself can be hacked remotely as well. Ask retail stores in the numerous PoS/retail system attacks. One by one, we heard about wholesale breaches in 2014. Retail and hospitality companies—with branches that make use of the ubiquitous point of sale systems—have been hacked into, leaking credit card information that will eventually end up being peddled in cybercriminal underground forums.
When you think about these attacks, you may wonder how a malware can get into a standalone system. After all, most PoS systems will not be used to receive or send email, thus eliminating spear-phishing email as an infection vector. Also, most PoS systems do not or cannot join company domains because there is no function or activity that will require it to log into company networks.
The only connection these types of systems need is that of a local administrator account. That is enough for the PoS ecosystem to run: to accept, process, and close transactions with the buyer, the merchant accounts, and related banks and credit card companies. So the only opportunity attackers have is the remote control function used to perform maintenance, the maintenance access point. Most PoS systems have remote control services like RDP, VNC or TeamViewer to perform general system management like operating system patches. Ultimately, known PoS malware like BrutPOS and Backoff all use bruteforce to break into PoS/retail systems.
IT admins must limit the IPs that are able to access PoS systems and enforce strict account lock policy to avoid hackers owning the data that runs through PoS systems.
Furthermore, this form of access limitation should not be limited to PoS systems, but to all systems that hold critical company or customer data. One key advice from our CTO Raimund Genes in 2014 is to identify core data and set up proper defenses for them. POS systems are perfect examples of systems that process and store core data, but this model should not be limited to the retail industry — these systems have counterparts in other industries that need to be identified in order to be provided with the same level of protection.
Secure your network from Internet-wide vulnerabilities
In 2014 we saw the discovery of vulnerabilities in several widely-used protocols and service. Each one was given it’s own name: Heartbleed for SSL, Shellshock for Bash, POODLE for SSL 3.0, and POODLE 2.0 for TLS, and each one also triggered a lot of concerns, as the affected entities of each always comprised of a great percentage of Internet users.
IT admins must prepare and set up processes that will enable them to identify, analyze, and address critical vulnerabilities affecting their network.
What we all experienced in 2014 will most likely continue in this new year — dormant vulnerabilities in widely-used platforms and protocols will be discovered and exploited. Given this, IT administrators — and the security industry in general — will need to better prepare for them to ensure that the impact of such vulnerabilities will be minimal.
For this, I see three main items that IT administrators need to cover: emergency response to ensure that affected parts of the network are identified and defended, threat intelligence to understand the vulnerability, the ways it can be exploited, and the threats they pose to the company, and patch management to make sure that the entire network is secured when the solution becomes available.
Overall, 2014 was a very challenging year for security and along with the challenges also came a lot of lessons, but the real value we can get from them is making sure that we’re able to apply the lessons to be able to better deal with future threats.