Online privacy and data protection is an issue that seems to be impossible for companies to deal with. In its latest X-Force report, IBM claims that over 1 billion pieces of Personally Identifiable Information (PII) were leaked in 2014. If that number sounds large, it isn't. IBM doesn't say each piece of PII relates to a separate user just that 1 billion pieces were leaked. With the vast majority of websites gathering some form of PII it means that a breach at a large company will yield millions of pieces of PII.
The amount of data leaked is 25 per cent higher than the previous year (2013) in which 800 million records were leaked. Worryingly the 1 billion records may be an understatement as IBM admits that it has not factored in the claim from August 2014 by Hold Security that it had discovered 1.2 billion usernames and passwords stolen by Russian hackers. IBM's reasoning for not factoring this in is that the claim has yet to be substantiated eight months on. Such a delay seems unusual and calls into question the claim by Hold Security.
It is not just stolen data that is breaking all records. In September, IBM X-Force were preparing to downgrade attacks for 2014 to lower than 2013, a move that would have surprised everyone. However, a single automated testing tool for Android applications released by a CERT/CC researcher changed all that. The tool known as Tapioca highlighted not just a few security issues with Android applications but thousands of security issues.
The result has been a massive leap in the disclosure of individual applications vulnerable to Man in the Middle (MitM) type attacks. It has led to over 20,000 vulnerabilities being listed and tracked in the CERT/CC vulnerability disclosure database. What is perhaps the most concerning feature here is that large numbers of applications have been affected by the same vulnerability.
Excluding these 20,000+ vulnerabilities, X-Force catalogued more than 9,200 new security vulnerabilities across 2,600 unique vendors in 2014. Android accounts for fully 15 per cent of these vulnerabilities which demonstrates that mobile is fast becoming the biggest security risk to the business. Overall, 2014 was 9.8 per cent higher than 2013 setting a new high benchmark for security issues in a single year.
For any security professional who wants a quick view by exploit, attack type, industry of country there is the IBM X-Force Interactive Security Incident (ISI) website. As well as providing multiple opportunities to look at what happened in the previous year, it throws up some strange results. For example, select the UK Government and almost every attack was a Distributed Denial of Service (DDoS). Change industry to healthcare and the attack type was 50 per cent watering hole and 50 per cent undisclosed.
Both the report and a supporting blog have been published online by IBM and make for some interesting reading. In the blog by Leslie Horacek, Manager, IBM X-Force Threat Response, she calls out three main themes:
- Privacy in a Digital World
- Cracks in the Foundation
- Lack of Security Fundamentals
Reading through these themes it seems as if users are living in a security groundhog day that they are doomed to never escape from. Both the privacy and security fundamental points are nothing new and despite the efforts at education by organisations, they remain major weak points. It is also important to understand that breaches are no longer a simple case of a single organisational failure. The main report highlights that the photograph theft was down to a third-party not the main cloud service.
This issue of third-party issues is one that is getting an increased amount of attention in the security market. Vendors are now talking about the Application Programming Interface (API) economy. The basic premise is that companies will begin to expose their systems to partners, customers and the cloud through the use of APIs. This will make it easier to connect systems together and enable IT departments to respond to demands for users for new apps to create new business opportunities.
The problem is that many companies lack the skills to properly test and validate the safety of their own APIs, let alone those from third parties. As we have seen with Open Source libraries and operating systems vulnerabilities, code that has been treated as safe due to its age and history of not being part of any previous breach, can no longer be fully relied upon. For the API economy to be successful it has to make it easier to test, validate and track API usage so that any vulnerabilities can be easily and effectively patched.
Even though the instructions for recovering from the Heartbleed attack were well publicised, many companies did not follow them. As a result, Heartbleed was allowed to become a bigger issue than it needed to. One major reason for the failure to patch properly was trained staff, and there is a critical reason for companies to start investing in security training for all staff.
The issue of patching has become a major challenge across the Internet. As highlighted in the report, the explosion of websites relying on common Content Management Systems (CMS) has enabled hackers to successfully and massively exploit vulnerabilities in these systems to great effect. For hackers, breaching these sites is often not just about the PII but about the ability to use those sites to distribute malware to visitors. With increasing numbers of industry focused community sites springing up, the use of watering hole attacks, where hackers target these common sites, has increased substantially.
The report highlights where the majority of attacks occurs with the United States (70.5 per cent) far ahead of the second place country the United Kingdom (3.4 per cent). Explaining this, the reports' authors believe that this is due to more stringent disclosure laws in the US verses other countries along with the US hosting so many high profile websites.
At the recent IBM Interconnect conference held in Las Vegas during February, Brendan Hannigan, General Manager of IBM Security Systems announced the beta of IBM X-Force exchange. This is designed to enable companies to share information about attacks in order to widen the pool of knowledge so that security professionals can improve their detection rate. Yesterday at CeBIT, Ingolf Wittmann, IBM Technical Director, DACH claimed that in a month, more than 40,000 companies had joined this beta and were sharing data on breaches and attacks.
The issue is whether that level of peer-to-peer cooperation through a security platform will be enough to improve security. While no industry wants to see even more compliance legislation heaped upon it, the increase in breaches and loss of data may cause just that.
The European General Data Protection Regulation (GDPR) may have been delayed potentially until 2016 due to intergovernmental wrangling and national elections but it will still happen. Aside from the high profile fines it is also designed to enforce a much greater degree of disclosure around cyber attacks.
In Horacek's blog, she highlights the arrival of the 'designer vuln' saying: "However, in 2014 we were introduced to our first taste of the 'designer vuln,' a critical vulnerability that not only proved lethal for targeted attacks, but also had a cleverly branded logo, website and call name (or handle) that would forever identify the disclosure."
The productising of vulnerability attacks is about marketing for the hackers, but also to make it easier for security companies to raise the profile of vulnerabilities. Putting out a warning about an attack using the traditional CVE-2014-1060 name will get less attention from the majority of IT people and users than using something like FREAK. The downside of this is that hackers like this type of marketing and are using it themselves.
Behind the scenes the emergence of an industrialisation around hacking and vulnerabilities is a significant worry. Exploits are now sold cheaply with different levels of support to help buyers get the most out if them. The underground sources selling this data also guarantee the effectiveness of exploits and even offer money back guarantees. In the credit card environment, if a card number is blocked before it is used, buyers are often given replacement numbers. This is a level of customer service most consumers can only dream of when dealing with the support departments of telcos, white goods manufacturers and retailers.
There is much more in the report and blog than covered here. However despite the jump in numbers over 2013 and new records being hit it is still possible to survive on the Internet. Changes in the way vulnerabilities are detected means more are being found not that more are being executed. The biggest issue for many companies and individuals is that until they carry out the basics of security with some diligence, they are placing themselves in harms way.
Of all the issues raised here, the biggest long term concern is that code that has been around for decades and is at the heart of many operating systems and applications is being shown to be unsafe. Cyber criminals are already exploiting this so the message is not to just do the basics right, but ensure that you are looking in the right places for up-to-date security information.
This is an interesting pair of documents but they are not an indicator that the sky is falling, just that we need to do more and be more aware.