As the year draws to a close, it is time for that annual tradition of mine, the top ten blunders or “oops” in the information security field. Not all of these are necessarily hacks of companies. Some of them are government related and as you’ll see from the list, the government is playing more and more of a role in information security, partly out of necessity and partly politics. I’m also including a lessons learned section in each one, so hopefully, through the misery of others, we can improve. So without further ado, here are the awards for the biggest screw-ups in the InfoSec field, in reverse order:
#10: State of Montana Health Department Hack
I mentioned government in our opening statement and the government info coffers are increasingly becoming targets for attacks. In this case, over 1 million records were stolen from the Montana State Health Department. Government systems often poorly secure their systems and in the push to make use of the web, often put too much personal information out there easily accessible. Lesson learned: Be careful of how much information to provide a government agency and question them when they use things like social security numbers as ID numbers or don’t have sufficient controls in place to verify outside inquiries.
#9 P.F. Chang’s Restaurant Card Readers Hack
In June of 2014, PF Chang’s announced their credit card payment systems had been hacked in an ongoing breach that went back 8 months. It is still unclear exactly how many cards where stolen but it occurred at 33 locations so you can imagine quite a few. The lesson learned here is have the proper detective controls in place like file integrity checking, robust log review and monitored intrusion detection systems so that even if a hacker does get into your system, you have the systems in place to catch it quickly and respond.
#8 Evernote / Feedly Extortion Hack
This denial of service attack disabled these popular apps that have about 100 million users. The attacks came with a ransom demand to the company to pay in order to stop the attacks. The company refused and eventually defeated the attack but expect these types of extortion attacks to continue and increase in the future. Lessons learned, build a robust network with backups so you can survive a denial of service attack and continue to service your customers.
#7 FBI coming out against strong encryption on personal devices
When Apple announced that their devices would have encryption so strong that not even they could break it, the FBI criticized them for preventing access for law enforcement purposes. However consider if the FBI did have a back door, how long before hackers would gain access to it and then have a virtual skeleton key to every Apple device on the planet. Lesson learned: Stronger controls at a individual level is almost never a bad idea and as our earlier example shows, you can’t count on the government to protect you from the bad guys.
#6 J.P. Morgan Hack
This major US bank along with several other unnamed institutions were hacked and tens of millions of customer financial records were taken. This happened around the time of the US/Russian stand-off over the Ukraine crisis and there was some indication that it might have been perpetrated by state actors on the Russian side in response to sanctions. Apparently this hack got through because one of their systems wasn’t protected by the two factor authentication that is required for all online banking systems. Lesson learned here: Industry standards and best practices exist for a reason. Those who fail to follow them will be the first targets for hackers. Don’t be the slowest antelope in the pack.
#5 CIA versus Congress
In a blowup only Congress could invent, earlier in the year Diane Feinstein, chairwoman of the House intelligence committee accused the CIA of hacking their computers to track their investigation of the CIA’s enhanced interrogation techniques used during post 9/11 wars. This quickly devolved into a he said/she said verbal brawl with the CIA accusing the House members of having classified documents they shouldn’t have and the House accusing the CIA of hacking and breach of powers. No one came off looking good in this political style grudge match but the CIA definitely did not come out smelling like a rose when the scathing report was finally issued.
#4 Net Neutrality Debate
While this isn’t strictly a info-security issue, the ongoing debate over “Net Neutrality” will definitely affect the way your data is stored and handled by large providers. I won’t take a side in this one except to say that the debate here is mostly over rights and restrictions on cable companies and massive telcos, not the average user. Lesson? Whatever ends up happening, it most likely will not result in a lower cable or Internet access bill for you or better security on their networks.
#3 eBay Hack
Early in the year, eBay announced it had been hacked and the hackers had made off with up to 233 million user’s information. Though the information was mostly limited, the damage to eBay’s reputation, which relies on millions of users to buy and sell things on their site was not. The hack was traced back to a compromise of employee’s credentials, probably through a phishing attack. The lesson here is you cannot educate your employees enough about the importance of cyber security. From the lowest warehouse worker to the executive suite (especially there!), everyone in the company should be regularly trained about how their attitude towards security can affect the company.
#2 Home Depot Hack
In one of the largest thefts of customer credit card information to date, Home Depot was hacked this year for a total haul of 56 million customer’s credit card information. The Target hack in 2013 was only slightly larger and used similar techniques (malware installed on credit card machines). It turns out, Home Depot was in the process of upgrading their security in response to the Target incident, but it was too late. Lesson here, It’s never too early to upgrade your security. Secondary lesson, make sure your firm’s cyber-fraud insurance is updated and sufficient to handle a major attack. Home Depot’s wasn’t and they will be paying the balance to the tune of tens of millions of dollars off their bottom line.
#1 Sony Hack over “The Interview”
This hack is probably the highest profile hack of the year, partly because it happened to a movie studio in the process of releasing a high profile movie and partly because the alleged attacker was a state actor, in this case North Korea. It became a national security issue when the hackers threatened physical violence against theaters that showed the movie on Christmas day. While they ended up releasing the movie after all, the number of lessons learned here are a long list: They had been hacked before (their PS3 game network) and apparently did not sufficiently improve their security. They stored massive caches of critical data with no encryption on their network and they had no detective controls to notice terabyte sized downloads from their corporate network. Sony could be the poster child for how NOT to do computer security (or how to not do it at all). But the main lesson I want you to take away from this is no matter how bad it is, make lemonades from lemons. In the end, they ended up wrapping the American flag around themselves and releasing the movie anyways, gaining some sympathy from the public. Perhaps the sympathy will lessen once the public sees what is probably not destined to be one of the classic greats. However, they also used the action as an excuse to simultaneously release the movie on streamable video, a business model that studios have tried for years to implement. Don’t get me wrong, the damage done to their firm and reputation will take years to fix not to mention the millions of dollars of lost revenue from a large theatrical release. But hopefully, hopefully this time they will learn ALL the lessons listed earlier and truly fix their legion of security issues so as not to be a victim again. And hopefully you all will heed these lessons and have a safe AND breach-free 2015. Thanks for reading and see you again in 2015!