As we get closer to the end of 2016, I wanted to take a moment to review some of the information security stories from the year and provide some insight on how you can protect yourself from them in 2017 since they are not going away any day soon.
According to Kaspersky Labs, “2016 can be declared the year of ransomware.” Throughout 2016, more businesses and individual users fell victim to ransomware, with a recent poll done by Datto showing that 91 percent of IT service providers reported recent ransomware attacks against small businesses. From Q1 through Q3 of 2016, Kaspersky noted that 1.5 million unique users were attacked by ransomware which is already double that of 2015 (~750k) and we still have a quarter left to report on. This is not a trend that we want to keep seeing.
As with previous years, email and email attachments are still the No. 1 vehicle for ransomware with Locky malware leading the pack. Helping this trend grow is the fact that per Datto, 93 percent report ransomware infiltrating anti-virus or anti-malware software. Gone are the days (if there ever were such days) where you can say, “I am good, I have AV software!”
Even as more countries join in on the No More Ransomware campaign (https://www.nomoreransom.org/), ransomware continues to grow. The only way to stop this epidemic is to limit the financial incentive towards hackers. Whether you are an individual, small business or large corporation, one of the best ways to counteract ransomware is to back up your data and make sure you can recover from it. Patching systems is also a must: always follow the motto, “Patch early and patch often.” If you do get hit, make sure you identify how the attack happened and fix the problem — recovering from backup or even paying off the attacker but not doing anything to ensure it doesn’t happen again is not the best strategy.
The Internet of Things (IoT)
Connected devices and their lack of security quickly became an issue in 2016 with Dyn, an internet infrastructure company, getting attacked by hacked IoT devices like webcams and DVRs with the use of a publicly available malware, Mirai. This attack led to widespread outages for sites like Twitter, Amazon, Netflix, Spotify, etc.
Gartner provided a report recently that “through 2018, over 50 percent of IoT device manufacturers will not be able to address threats from weak authentication practices” and “by 2020, more than 25 percent of identified enterprise attacks will involve IoT, though IoT will account for only 10 percent of IT security budgets.” With nearly everything from thermometers, toasters, TVs, door locks, etc. becoming connected, the implications of an attack are widespread. Sure, thinking about attacks could be somewhat humorous, like attackers taking over toasters and burning your bagel in the morning, but others could be lethal. While this could be considered a little fearmongering, connected homes could be hacked to turn off fire detectors then turn on stoves, cars could be disabled while in motion and infrastructure, like nuclear facilities, could be shut down or put into meltdown.
Sadly, many IoT devices are just not developed to be secure, they are built to be easy to use and for the masses, so you must be diligent when purchasing/implementing IoT devices. Make sure that the devices can be secured. Change the passwords from the defaults, segregate them on the network, limit access and be sure to add IoT devices to your patch management process and update firmware or install patches are they are made available. Also, implementing mobile device management (MDM) tools and protecting your Wi-Fi infrastructure will go a long way in limiting the impact of IoT attacks.
Hacktivism and the good ol’ standard hack
Hacktivism, the act of hacking to promote a political agenda, is on the rise. While previously I stated that 2016 may go down as the year of ransomware, one can easily argue it should be called the year of hacktivism. 2016 saw some very high profile hacks including the Olympic games, Panama Papers, Homeland Security, the Democratic National Convention and the U.S. Presidential election.
While attacks are still usually for financial gain or espionage (89 percent in 2015), I believe we will see a jump in that number in 2016. On average, through October, Hacktivism has been hovering at about 14-15 percent with additional growth expected through November because of the election. The striking change has been a growth in state sponsored attacks.
In October, the US government officially accused Russia of the DNC hack and stated that Russia was attempting to “interfere” with the election. While it is up for debate if the hack actually played a role or not in the election, it does create the real danger that foreign governments will try to interfere with elections and governments worldwide in an effort to push their political agenda.
In addition to the hacktivism, there was still a growth in the number of breaches and attacks. Per the Identity Theft Resource Center, as of 11/29/2016, there were a recorded 932 breaches identified releasing 34 million+ records. But to expand on that, only 480 of the 932 or just over 50 percent reported the number of records released, so the 34 million listed could easily be much higher.
While it may seem difficult to protect against state sponsored or motivated hackers and groups, according to the Verizon Data Breach Investigations Report (DBIR) from 2016, there are still hundreds of old vulnerabilities still being exploited. As with the other two topics, make sure you are patching your systems, segregate your networks, review and limit admin privileges, monitor and assess your systems and develop a risk assessment and risk management plan.
What does all this mean for individuals and businesses? It means we must stay diligent. Patch systems, monitor activity, limit access and privileges, backup your data and systems, assess for vulnerabilities, do not use the same password everywhere and stay away from spam and email attachments you are not expecting. While this will not make you invincible it will go a long way to reducing your risk of a breach.
Linford & Company LLP is a Certified Public Accounting firm comprised of former “Big Four” auditors. We perform SOC 1 (formerly SSAE 16), SOC 2, royalty/licensing compliance and HIPAA compliance audits for organizations around the world. For more information on our services and how we can help your business, please feel free to contact us.