Security Lessons Learned (The Hard Way) From 2016
In this series of three posts, we examine security expert views on the past year, their prognoses for 2017, and what we should do to protect ourselves.
What a year! Not a month went by in 2016 without news emerging of a high profile cyber attack or data breach.
In January Belgian bank Crelan was hit by fraudsters to the tune of €70 million ($73.1 million), €50 million ($52.2 million) was stolen from the accounts department of Austrian aerospace parts maker FACC, and Israel and Ukraine were both the victims of cyber attacks against their critical infrastructures.
It didn't get any better in February when the names, job titles, email addresses and phone numbers of over 20,000 Federal Bureau of Investigation and 9,000 Department of Homeland Security employees were hacked.
In March, the Philippines electoral commission was hacked ahead of forthcoming elections with the personal details of over 50 million voters compromised.
In April, it emerged that a database of 11.5m documents had been taken from offshore law firm Mossack Fonseca, some of them exposing embarrassing links to anonymous offshore companies of leaders in Egypt, Iceland, Pakistan, Spain, Russia, the UK and Ukraine among other countries.
In May, 427 million MySpace passwords were put up for sale. The same hacker also offered 164 million LinkedIn passwords.
In June, the details of 154 million US voters were leaked including whether or not they owned guns.
In July, Hillary Clinton’s Presidential election campaign was hacked.
In August, a customer support portal for companies using Oracle’s Micros point-of-sale credit card payment systems used at more than 330,000 cash registers worldwide, was hacked.
In September, cyber security blogger Brian Krebs was subjected to one of the largest assaults on the Internet ever seen when a botnet-facilitated distributed denial of service (DDOS) assault was mounted on KrebsOnSecurity.com. Thanks to protections already put in place, it did not succeed.
In October, the largest DDOS attack to date caused embarrassing hours-long Internet outages for big brands such as Amazon, CNN, Fox News, Netflix, The New York Times, PayPal, Twitter and The Wall Street Journal. All were customers of domain name service provider Dyn.
November was ransomware month with attacks on the administration of Madison County, Indiana, an attack on San Francisco’s “Muni” transport system which forced the network to offer free rides to passengers for much of a weekend, and a Seguin, Texas—dermatologist. These were the cases that were made public.
In a fitting finale to the year, although it didn’t actually take place in 2016, forensic experts announced in December that Yahoo had suffered the largest data breach ever recorded, with over a billion records containing personal details and security questions, answers and passwords stolen in 2013.
As if 2016 was not bad enough, the not-for-profit Information Security Forum expects security threats to worsen yet further in 2017. Perhaps even more worryingly, it fears that the way things are going, organizations risk becoming disoriented and losing their way in a maze of uncertainty as they grapple with complex technology, proliferation of data, increased regulation and a debilitating skills shortage.
So what do we have to do to ensure a happier and more secure new year?