2014: The year of the data breach. Although technically the trend started with the massive credit card heist at Target (News - Alert) last holiday season, 2014 really saw the perfection of the art, with big hits at Home Depot, Sally Beauty, Michael’s, and yes, the celebrity iCloud photo leak. As bad as it’s been, 2015 will see no slowdown in incidents—but rather, will feature a few key evolutions in strategy and purpose on the part of criminals, as indicated by the latest high profile attack, on Sony Pictures.
The evolution of data breaches has already been notable given the sheer number of significant breaches effecting broad swaths of consumers and businesses around the world. Most of the impact has been limited to a hassle factor for consumers in that getting new payment cards and monitoring credit ratings are a must in the aftermath; for businesses, it’s a different story. Target lost several executives and brand identity points, and Sony has yet to assess the full extent of the intellectual property loss and the reputational damage stemming from the massive hack on its systems last month.
Financial institutions bear a significant cost for this as well.
"As we have documented in two surveys this year, data breaches at retailers have cost credit unions and their members a minimum of $90 million—and those are the costs only for breaches at Target, for $30 million, and Home Depot, at nearly $60 million," said Credit Union National Association president and CEO Jim Nussle.
He added, "With the many other breaches that have also occurred—at Staples (News - Alert), Neiman-Marcus and others—certainly credit unions have incurred millions more in costs this year. In our most recent survey…credit unions told us that—to date—they have received no reimbursements for the Target breach, months after the breach occurred.”
But, there are signs that the damage will get much, much worse.
2015: Criminals Will Bide Their Time
As bad as things have been, there’s evidence that perpetrators are changing up their tactics to inflict deeper wounds going forward. Criminals are beginning to understand that knowledge may be the biggest currency—as evidenced by the swath of information stolen and leaked in the Sony hack.
In the Sony case, it’s believed that North Korea is behind the incident, in retaliation for the release of the comedy The Interview, which features Seth Rogan and James Franco as hapless journalists recruited by the CIA to assassinate North Korean leader Kim Jong-un. Pyongyang has called the film “an act of war.”
Sony chiefs Michael Lynton and Amy Pascal have said that the company was still examining the full extent of the attack, which resulted in the leaking of the script for the next Bond movie, full copies of upcoming movies like Fury and Annie, personal information on employees and other corporate data, and a slew of executive emails that have landed Pascal and others in hot water for making insensitive comments about everyone from President Obama to Angelina Jolie. The attack also wiped out data on a swath of its network.
“The subtlety and length of the breaches that are publicly disclosed indicate the underlying goals to be moving away from the ‘smash and grab’ of credit card number thefts towards more systemic damage possible by simply waiting for information and continuing to probe for more content,” said Steve Hultquist, chief evangelist at security analytics company RedSeal. “Similar to the miscreants who traded in secretly purloined celebrity photos long before the massive release, criminals are sitting inside networks gathering information to create a more significant payday or outcome.”
He predicts that attacks will become both more sophisticated and more subtle, and most will go undetected for months or may never be detected. And the longer a breach goes undetected, the more information the attackers gather that they can use for a variety of purposes even after the breach has been closed.
“The long-running breaches that we've seen in 2014 point towards even longer-running breaches with more subtle characteristics that are likely to result in more severe damage,” he said.
Attacks on Enterprises Ramp Up
Retail heists and Sony-style brand sabotage aside, Hultquist also believes that there will be at least one security situation that destroys a midsize or large organization—perhaps one that isn’t a household name.
“This past year saw a small company forced out of business when they refused to pay a ransom,” he said. “That approach of attacking will continue to grow, and very likely cause the demise of a larger organization.”
Espionage and destruction will become a greater percentage of motivation, adding to the risk that the attacks will be undetected, since the outcomes will be far more subtle. Attackers are becoming more focused on avoiding discovery, so it is very likely there will be long-running breaches that result in significant financial loss and other damage directed at objectives besides simple theft.
Consulting firm and industry think-tank Neohapsis takes that prediction one step further, and told us that its researchers believe that the line between attack and defense tools and techniques within large enterprises will blur, so that attackers and defenders will repurpose each other’s tools and techniques for their own benefit. And that could have very far-ranging consequences.
“Attackers will place themselves behind the same network defenses running on the target network to guarantee they evade detection,” the firm told us. “Anti-forensic techniques will help incident responders remain invisible to the attacker. Forensic tools will be used by attackers to steal passwords and locate valuable data. Host intrusion detection systems will alert hackers of suspicious administrators.”
In fact, sophisticated attacks may even repurpose legitimate security tools entirely, so that, say a centralized patch management system will distribute malicious code. Or, the local antivirus software could be hijacked and used to scan all processes for credit-cards and passwords.
Changes in Security Tactics?
One thing’s clear: in order to protect themselves, enterprises (retail organizations and otherwise) will need to radically overhaul their security strategies.
Many organizations have continued to focus on defensive strategies in the face of the data breach tidal wave. But this only increases their likelihood of breach. As Hultquist pointed out, instead of using analysis of potential access paths, for example, many organizations rely on detecting unexpected traffic as it traverses their networks. This provides much less time to address the attack than does automated audits of possible risk and access.
Going forward, “a growing number of organizations will add proactive strategies to their security arsenal, especially proactive analytics for attack prevention,” he said. “There will be some movement in this direction by more sophisticated organizations, helping to reduce their risk of attack.”
At the same time, some changes will be driven by a greater awareness on the part of the powers that be, and from legislation. Vijay Basani, CEO of EiQ Networks said that he believes that state attorneys general and the federal government will become more active advocates of consumer protection, taking steps to hold companies accountable for data breaches they suffer.
“With the Target data breach, we experienced a watershed event—we have seen several state and local agencies demanding information from the company regarding the data breach; and as a result we saw wholesale changes to top management including the CEO and CISO,” he said. “Retail-oriented attacks will continue…and we can expect additional large-scale breaches but also to see senior executives including Board members engaging in serious discussions about how to protect and insure themselves against class-action lawsuits from shareholders and customers.”