As 2015 draws to an end, we can look back on a year that has seen cyber security rapidly ascend the corporate, journalist and consumer agendas.
The cost of the average corporate data breach continued to rise, and with hacks on firms such as Car Phone Warehouse, Talk Talk, Ashley Madison and even the Internal Revenue Services in the USA, the last twelve months has seen a marked escalation in Black Hat activity.
Over the course of the year, the IBM Emergency Response Services (ERS), team has gained an extensive insider’s view of what kinds of security incidents are striking most frequently across a variety of industries, and below are the four top trends that took precedence in 2015.
Onion-layered security incidents on the rise
As the name suggests, an onion-layered security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event.
Of all the incidents that the ERS teams encountered in 2015, these complex, multi-layered attacks were the most demanding of investigative time and resources to ascertain the facts, find the root causes, develop a timeline of events, and provide the client with recommendations on how to resolve the issues that allowed the attackers to get into their networks.
The year of ransomware
The infection most commonly encountered by ERS this year has been ransomware. As its name suggests, this is a kind of malware that steals something from the user and demands a ransom to give it back.
Broadly speaking, ransomware can be divided in two broad families: the first family simply locks the system and tricks the user into thinking that unlocking it requires paying a ransom. This is the less dangerous kind of ransomware, since no actual harm is done to the infected system and no information is lost.
The second family however, actually encrypts files on a system’s hard drive. Instructions on how to pay the ransom and get the key to decrypt the files are left in text files disseminated on the hard drive. This is the more dangerous kind of ransomware, since breaking encryption often isn’t feasible and might result in losing information even if the ransom is paid.
A particularly destructive variant of this second family will encrypt not only files on the hard drive of the infected computer, but also network shares, potentially targeting the files of the user’s organisation too.
Malicious insiders on the attack
During 2015, the ERS team was called in on several occasions to assist with unexplained network outages - both to stop the outage and find the root cause. The symptoms ranged from routers that had their configurations erased, to firewalls with unauthorised rule changes.
Due to the sometimes volatile nature of these issues and the difficulty of distinguishing their true nature from normal service outages, some of the situations went on for weeks before it became clear that a security incident needed to be declared and the ERS team was engaged.
The common thread here was that accountability was not enforced. For example, bad password policies seriously compromised the efficacy of termination procedures. Whenever a system or network administrator left the organisation, disabling their personal accounts did not limit their ability to perform unauthorised activity on the network via one or more of the shared accounts they had routinely used in their job. As a result, ex-employees with ill will toward former employers held powerful weapons they could use to express their resentment.
Greater management awareness of security problems
In recent months, the ERS team observed that people in positions of oversight - management, boards of directors, audit committees - were asking more questions about their organisations’ security posture.
Given the recent high-profile breaches of many well-established organisations highlighted in the media, as well as the UK Government’s recent public statement of support and funding for greater national cybersecurity initiatives in the face of international terrorism, this is a welcomed trend, and likely to continue in 2016.
So what can we learn from cyber security breaches in 2015? One thing is for sure, they certainly won’t be shrinking or fading away into the background in 2016.
The key for organisations will be to redefine their security efforts and to recognise that while they can never be 100 per cent water tight in terms of cyber security, they can improve their protection, detection, isolation and responses to cyber security issues as they emerge.
Martin Borrett, CTO of IBM Security Europe
Image source: Shutterstock/shutteratakan