2016, The Year Of The Security Data Breach
As I look back at 2016, I realize just how hard this year has been for (in)security in organizations throughout the world. In early 2016, Wired magazine had a few predictions on what kind of security threats we would face during the year: https://www.wired.com/2016/01/the-biggest-security-threats-well-face-in-2016/ Today, on the last day of 2016, we can look back and see how those predictions fared out during the year: http://www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016/
The following are just a few of the incidents that I found more prominent and arguably the most damaging ones to any organization out there.
NSA Security Tools Stolen
Have you ever watched the spy thriller movie Sneakers? Then perhaps you would see the irony, in something that technically should have never been possible, about the NSA’s report that a number of their highly specialized hacking tools were stolen and later auctioned to the highest bidder. What is more alarming about this incident is that it also uncover vulnerabilities in major vendors’ firewalls like Cisco and Fortinet. According to the latter linked article, these zero day vulnerabilities are extremely dangerous and virtually trivial to exploit: “One of the exploits is a zero-day flaw that can let an unauthenticated attacker access the firewall without a username and password to remotely execute code on the device.”
Millions Of LinkedIn Passwords Up For Sale
In 2012, the initial year when LinkedIn users database was hacked, it was believed that 6.5 million passwords had been compromised. However, 2016 would prove that belief to be false as evidence for the breach of 117 million LinkedIn passwords was uncovered. As if that was not bad enough, the combination in the use of a deprecated hash algorithm, the absence of a password salt, and the high predictability of the actual passwords used by users contributed to the eventual cracking of the passwords.
Democratic Campaign Email Leaks
There were many surprises during the saga following up to the U.S. 2016 Presidential Election, and security data breaches was simply another episode in that series. During the election campaign the disclosure of a data breach against the Democratic Congressional Campaign Committee opened a Pandora’s box with alleged ties extending all the way to the Kremlin.
Yahoo Accounts Compromised
Yahoo! The initial disclosure of their user database breach was believed to be 500 million accounts, however, further reports have the total amount of breached accounts at more than one billion users. It is a very sad story to see an early tech pioneer and web giant fall so hard. Nevertheless, perhaps the good that will come out of it is the lessons learned from such a catastrophic failure in cyber security.
Epilogue
As you can see, this has indeed been a tough year for many organizations when it comes to security. And no one knows for sure what threats lurk ahead in 2017, but what we do know is that organizations need to be vigilant now more than ever. Gone are the days of sweeping the absence of a cyber security program under the rug and hoping that no one attacks a system. Today, organizations need to assume that there are threats lurking and train their personnel for those scenarios, specially the ones involving social engineering. For it is there indeed, where the greatest security weakness lies, ourselves and our innate ability to trust someone else.
And that concludes my last post for the year, I aim to continue blogging about security and the cloud in 2017. So please stay tuned, I will see you again next year!
Stay secure,
JP