Not a week went by in 2015 without a major data breach, significant attack campaign, or serious vulnerability report. Many of the incidents were the result of disabled security controls, implementation errors, or other basic security mistakes, highlighting how far organizations have to go in nailing down IT security basics.
但在展望花园式的各种攻击和漏洞借给深刻洞察恶意活动以及如何抵御它的未来。和2015年有其耐人寻味入侵的份额,其中的每个强调,导致违规或需要新的防御精确领域的新形式改进的方法。在过去的一年里,网络罪犯采用创新的方法和国家支持的演员变得更大胆。动机转移,金融增益不再发动攻击的唯一原因。造成物理伤害,窃取商业机密,黑客作为抗议的形式 - 2015年是一年中的恶意活动服务过众多的目的。
越来越相互联系的世界意味着坏顾ys can cause a lot of damage; more important, many malicious actors now have the skills and means to carry out chilling attacks. Below is a roundup of some of the most significant incidents of the past year, each of which pushes the overall security conversation further, showing new paths and needs for defense. Which ones did we miss?
下坝比特币
比特币 - 和加密货币的一般想法 - 捕捉主流关注今年以来,因为谁使用的平台为掩护支付恶意行为的一部分。勒索团伙在要求支付比特币解锁受害者的文件和文件夹之前,并勒索了以换取不发动对网站的DDoS攻击需要比特币。但bitcoin made security headlines几次在2015年出于不同的原因:贼偷保持比特币......很多很多。
European exchange Bitstamp suspended trading after discovering one of its operational bitcoin storage wallets was compromised in early January. The exchange is believed to be the world’s third busiest and handles approximately 6 percent of all bitcoin transactions. About 19,000 bitcoins, or roughly $5 million, were stolen at the time. That wasn’t the only bitcoin attack, as China-based exchange BTER reported in February that 7,170 bitcoins, or roughly $1.75 million, were stolen from its cold wallet system. Thieves stole 10.235 BTC, or roughly $2,500, from bitcoin startup Purse in October.
考虑一下传统的银行抢劫:Instead of looting bank accounts, exchanges are raided. In addition to showing there is real financial value associated with the virtual currency, the thefts highlighted the need “for an internationally recognized security standard” for bitcoin, said Florindo Gallicchio, director of information security in the Optiv Office of the CISO. In February, the Cryptocurrency Certification Consortium (C4) proposed 10 standardized rules for the creation, storage, audit, and use of bitcoins, as part of the Cryptocurrency Security Standard (CCSS).
而被盗的数额不小,但相比85万个比特币,价值近4.5亿$,从日化交换山消失苍白GOX在2014年的交流,相信已处理的所有比特币的70%,有自闭和进入破产。日本警方认为,盗窃是一种监守自盗。
As is often the case with technology, the exchanges have thus far focused on functionality and usability, with security an afterthought, said Steve Donald, CTO of Hexis Cyber Solutions. Many of the attacks relied on social engineering to gain a foothold on to the exchange’s network. Exchanges need to adopt secure code development practices, as well as dynamic and static code analysis to protect their applications. “Bitcoin exchanges should be highly incented to improve security as this will be a requirement before this new type of currency will achieve wide scale usage,” Donald said.
Cyber goes real-world
Cyber attacks that result in damage in the physical world happen far more often on TV shows than they do off-screen. It was scary when the Shamoon malware attack partially wiped or totally destroyed hard drives of 35,000 computers at Saudi oil company Aramco back in 2012. We saw the blurring between cyber and physical again -- to be fair, the attack actually happened in 2014 and the report providing the details were released shortly before the end of the year -- at an unnamed German steel mill when attackers manipulated and disrupted control systems. The blast furnace could not be properly shut down, resulting in “massive” damages, according to reports.
There is a tendency to think cyber attacks are about stealing data or knocking systems offline. There can be real-world damage, too. An attacker can potentially compromise a pharmaceutical company’s production process or quality control systems and modify the recipe for a particular drug. Hospital systems are also vulnerable to attack, especially since many legacy systems still in use cannot be secured. As much as 20 percent of hospitals are vulnerable to attacks that can disable critical care systems, Gallicchio said.
“People can be physically hurt from a cyber attack,” Gallicchio said.
工业控制系统的安全性出现了很多的谈话,但事件在德国钢厂强调了一个事实,这种威胁不再仅仅是理论。一个面向工业控制系统的安全性,尤其是制造业所面临的挑战,是一个简单的事实是,系统通常被控制,并通过运营和工程部门,而不是IT管理。操作和工程团队以安全为代价集中在可靠性,并作出决定,以维持正常运行时间。
提高防御需要“基础知识和更现代的防御的组合,”如确保在不同网络之间适当的分割和访问控制,唐纳德说。
金融犯罪云大
There were a number of attacks against financial institutions in 2015, but none was more audacious than the Carbanak crime ring, which targeted more than 100 banks and other financial institutions in 30 nations. Kaspersky Lab estimated the gang had stolen as much as $1 billion since late 2013 and had managed to stay under the radar for two years because it kept each transaction between $2.5 million and $10 million.
针对金融机构的攻击的规模表明罪犯是从低价值与消费者相关的攻击,如赞成高附加值的攻击身份和信用卡被盗移开。“老‘砸,抢’的工作正变得精心策划和执行的作业,”迈克·戴维斯,CounterTack的CTO说。
联邦调查局还警告说,增加社会工程活动,其中攻击者发送一封电子邮件,声称是从CEO或其他高级管理人员的CFO或其他行政授权电汇。如果收件人被欺骗和转移之前不验证邮件的真实性,钱没了,通常为好。
While external attackers still pose the biggest threat to financial organizations, 2015 showed insiders can cause damage as well. Earlier this year, a former employee of Morgan Stanley pleaded guilty to stealing confidential data from more than 700,000 customer accounts while he was interviewing for a new job with two competitors. And external attackers target insiders who already have access to sensitive data. Encryption, dynamic security policies that travel with data, and robust multifactor authentication controls are some of the defenses financial institutions should consider to ensure that unauthorized individuals can’t read anything they shouldn’t be allowed to see, said Ron Arden, vice-president of Fasoo.
对违反雷达保健
Some of the biggest breaches in 2015 involved health care organizations, including Anthem, Excellus BlueCross BlueShield, Premera Blue Cross, and CareFirst, to name a few. Eight of the 10 largest health care breaches happened in 2015, according to the U.S. Department of Health and Human Services.
It’sno surprise the attackers went after health care,因为公司往往有宝贵的数据,包括姓名,地址,社会保险号,医疗记录和财务信息。该数据是难以改变的,这意味着它具有较长的保质期,可以在各种后续攻击中使用。攻击者在2015年访问的100个多万元的医疗记录。
While some of the breaches may have been part of identity theft and other cyber crime activities, security experts believe Anthem was the work of Chinese state-actors. The attackers may have been after data on specific individuals for intelligence purposes, or they may have wanted intellectual property relating to how medical coverage and insurer databases are set up. The Chinese government has denied any involvement in the attacks, and Chinese authorities recently arrested individuals they claim had targeted Anthem for cyber crime purposes.
“Just like how the financial verticals evolved to the next-generation bank heists, we will soon see attackers use health care information records to support more sophisticated business models,” said Itzik Kotler, co-founder and CTO at SafeBreach.
These attacks were successful in large part because health care companies have not traditionally invested as much on security initiatives as financial institutions have. The Anthem breach, in particular, showed how far some health care companies lag on basic security best practices. As Target shook the retail sector out of its complacency in 2014, Anthem made the health care industry sit up and notice the very real dangers it faces.
Worse, encryption practices around sensitive data had no effect. In many health care breaches, users were socially engineered out of their credentials, letting attackers easily bypass encryption controls. It doesn’t take a lot, either. Attackers stole 80 million personal records from a large health care insurance company by compromising only five user accounts, Eric Tilenius, CEO of BlueTalon, said. “Every company should ask, ‘How much data would be exposed if a user account gets compromised?’ and then work to limit that exposure,” he said.
“It doesn’t matter how strong your security platform is, if employees aren’t properly trained in best security practices, it all can go out the window,” said Garry McCracken, vice president of technology at WinMagic.
Attacks as part of a long game
Perhaps the most intriguing, significant, and shocking security incident of 2015 was the攻击对人事管理的美国办事处。数以百万计的政府雇员,美国军事人员和政府承包商谁曾接受背景调查和安全检查的个人数据被窃取。在典型的数据泄露,因为他们希望它具有信息攻击目标的组织。在OPM的情况下,攻击者不希望记录只是为了让他们的缘故,而是为了获得有针对性的个人背景信息。
“[The OPM breach] represents human targeting at its finest, understanding that people are our biggest security risk … our weakest link in the chain,” said Renee Bradshaw, manager of solutions strategy at NetIQ, the security portfolio of Micro Focus.
The method of attack followed a formula: Target a subcontractor in a social engineering attack and steal credentials to gain access to the network. Plant malware on a system and create a backdoor. Exfiltrate data for months, undetected. The level of poor security practices at OPM “was astounding,” including lack of consistent vulnerability scanning and two-factor authentication, as well as untimely patch management, said Bradshaw.
The OPM breach also emphasized organizations' vulnerability to social engineering. Government employees and contractors are now subject to security awareness training programs to learn about the dangers of spear phishing and other social media threats.
Vulnerabilities out of control
The attack against Hacking Team over the summer was an eye-opener. The Milan-based company developed and sold surveillance software to government agencies around the world. The company relied on zero-day vulnerabilities to develop software that was difficult to detect and could intercept communications. When an unknown individual released more than 400GB of data stolen from Hacking Team, including email communications, business documents, and source code, security researchers uncovered proofs-of-concept for three different zero-day vulnerabilities in Adobe Flash Player. While Adobe scrambled to fix the flaws as quickly as possible, cyber criminals were able to create exploits and use them in large-scale attacks.
“Hoarding zero-day exploits at both the national and private level is dangerous for everyone. We can’t expect to come out on top if we are sitting on these types of vulnerabilities,” said Tom Gorup, security operations leader at security consulting firm Rook Security.
