This past year we bore witness to the sophistication of cyberattacks and their vertiginous growth. If we look at what happened in security in 2017, there are quite a few lessons that we should heed to, especially for businesses. These six lessons will help us to avoid making the same mistakes this year.
Our response to incidents is as important as preventing them
One of the most important events of last year was the Uber incident. It came to light that Uber had concelead the fact that data corresponding to 57 million users had been pirated at the end of 2016. As the Uber CEO acknowledged, the criminals downloaded a database from servers used by Uber containing the personal information of users (name, email, and phone number) and data relating to 600,000 drivers in the United States. To prevent the attack from coming to light, the company paid the hackers $100,000.
The data theft at Equifax was the biggest hack of sensitive personal data in history. An organized group of cybercriminals took advantage of a security breach within their web application to steal information on 143 million customers, taking their social security numbers, postal addresses and even driving license numbers.
Whereas failure to notify users of the breach led to some legal entanglement for Uber (made worse by their payout to hackers), in the case of Equifax, their inconsistent statements about the vulnerability and their post-breach lack of commitment to consumers demonstrate a highly unprofessional approach.
To avoid situations like these, it is crucial for security updates to be a part of your business strategy — and notifying authorities, though unpleasant, should always be the first step to take after a breach. What happened at Uber can also teach us another lesson: sharing credentials via code is not such a great idea. This bad practice is what gave hackers access to the servers, having obtained the credentials thanks to the code that Uber developers published on Github.
Attacks are not just a matter of malware
Not everything is ransomware (although, if you follow cybersecurity in the media, it may sometimes feel that way). With malwareless attacks, attackers assume the identity of the administrator after having obtained their network credentials using non-malicious tools on the company’s devices. Malwareless attacks are sure to be a trend in 2018, so we would do well to learn from these cases.
PandaLabs detected a case in which the attackers used Sticky Keys to sneak through the back door, accessing the computer without entering credentials. This remote access can then be monetized by generating online traffic that can be sold to third party websites or by auctioning access to the compromised machines. Another example is the use of Powershell for cryptocurrency mining.
To combat these attacks, advanced tools combined with Threat Hunting methods based on user behavior are essential. Monitoring the corporate network in real time and giving visibility to the activities in the teams, we can discover what legitimate tools are being violated and protect our companies.
Secure passwords do not have to be hard to remember
Despite the suggestions of Bill Burr, which for years governed the policy of password creation in the online environment, a secure password should not be difficult to remember. This year we learned that even those that combine alphanumeric, uppercase and lowercase, and special characters can often be guessed by a computer. Given that human behavior is predictable, computer algorithms allow cybercriminals to detect weaknesses and patterns, and with them they manage to decipher our passwords.
In 2017, we witnessed a radical change in the recommendations of the National Institute of Standards and Technology (NIST) to create a secure password. Now we are encouraged to use compound sentences with random words that are easy for us to remember; that way, a bot or a computer can not crack the password by means of countless combinations. The password, then, can still be easily remembered by the user, but it will be difficult for a cybercriminal to decipher it.
The malware tries to go unnoticed
Malware is growing exponentially. PandaLabs registered 15,107,232 different malware files that had never been seen before. Only a small part of ¡ total malware is truly widespread. That is, most malware changes every time it infects, so each copy has a very limited distribution and always tries to go unnoticed.
Having a limited life, the malware attacks the smallest possible number of devices to reduce the risk of being detected. In this sense, it is essential to choose an advanced cybersecurity platform to recognize and respond to attacks in real time.
Be quick to implement patches
When it comes to patches, it’s never too early. The idea is to implement a method of action according to the characteristics of the architecture of our company (its systems, services and applications) in which we evaluate the implications of patching >(or failing to patch). Once this is taken into account, acting quickly is essential. Equifax, to give just one example, was first attacked in May 2017 because they hadn’t patched a vulnerability detected in March.
Neglecting Shadow IT can be very expensive
The systems, solutions and devices used in a company, but which have never been explicitly recognized by the organization, are known as Shadow IT. This enemy in the shadows represents an overwhelming number of blind spots for the security of the company, since it is very difficult to protect something whose existence we aren’t even aware of. According to an EMC study, annual losses caused by Shadow IT reach up to 1.7 trillion dollars. Therefore, it is necessary to design affordable policies that cover the needs of workers, preventing them from resorting to unauthorized solutions. Prioritizing security awareness and evaluating why users turn to applications and tools not provided by the company could even help to improve workflows.
To start the year on the right foot, we can take 2017, internalize it, and move forward. External threats continue to grow, so our attention to basic tasks and lessons learned should do so in turn.