In their X-Force Threat Intelligence Report 2016, IBM tells us that some small improvements have been made in cybersecurity over the past year. After some estimates suggested that there had been more than one billion personally identifiable information (PII) leaks, 2015 saw areas of slowed growth, and even some areas of improvement. However, 2015 also saw an increase in the sophistication of techniques, and attacks beyond US borders.
While “lower value” PII like e-mails, passwords, and credit card data was still attractive, the demand for leaked data trended toward higher value records like health-related and other sensitive data. One example of this was the US Office of Personnel Management data breach which included security clearance information, fingerprints, background check data, and comprehensive personal details of millions of federal workers.
Other trends included over 100 million PII records, infected ads (or “malvertising”) resulting in the installation of ransomware and other types of malware, and a reminder of the importance of basic security practices when misconfigured NoSQL databases exposed more than 200 million combined records.
Retail breaches shifted from targeting larger retail chains to instead targeting smaller businesses, POS service providers and niche payment systems. Hotels were also targeted including Trump, Starwood and Hyatt and, in these cases, the POS service, again, was often a target.
In addition to a more traditional theft of information for sale, 2015 saw an increase in the theft of highly private data from adult websites including Adult Friend Finder and Ashley Madison which created opportunities for extortion and social engineering, which, in turn, was linked to a number of suicides and highlighted the issues with the overlap between physical and digital identity.
Digital attacks also became more physical, including researchers remotely taking over a vehicle, and attackers disrupting electricity in a region of Ukraine for several days. It was discovered that attackers had made over $100M USD over five years by infiltrating public relations websites and using insider information from not-yet-published press releases. Finally, a DDoS attack grounded Polish airline in Warsaw.
There is also concern that opportunities for other types of cyber-extortion have been created by the success of ransomware schemes targeting end users. Organized crime groups like DD4BC32 and the Armada Collective attempted extortion campaigns that attacked private secure e-mail providers. Most business tolerated sustained outages while they solved the problem through their own defenses rather than pay the ransom.
Attacks of opportunity – those that cast a wider net for smaller fish – continue to be an issue. This is exacerbated by a new generation of developer tools and frameworks that make it possible for developers to create large scale sites including dating communities, media, and applications, without having the knowledge to make them secure.
IBM’s forecasts for cybercrime breaking borders, rising card-not-present (CNP) fraud, an escalation in the sophistication of mobile threats, wide use of anonymity networks and stronger encryption, burgeoning fraud methods for new payment schemes, and Biometrics becoming a target were not just met, but actually exceeded in 2015.
The report suggests that the reason for the unprecedented rate of these cybercrimes lies in the increased presence of full-blown criminal organizations that operate like businesses with dedicated teams for various tasks, talented developers, strong connections and collaboration, and massive funding. This, in turn, led to a scaling up of the magnitude and breadth of every type of malware cyberattack. The network of providers who supply these organizations with infrastructure, services and crime-specific commodities has come to be known as “Crimeware as a Service” or CaaS and they are not only providing options for PC-based crime, but also for more difficult to master mobile phone-based crime.
In 2015, IBM X-Force found a total of just under 9,000 new security vulnerabilities, the highest number they have seen and recorded over the last 20 years. Common reasons for security incidents continue to include weak password policies, excessive privileges, missing patches, denial-of-service attacks, data server misconfigurations, lack of encryption and more. On an organization-wide level, IBM has noted that organizations can be more secure by monitoring vulnerabilities that may affect the technologies that they are using to protect them, knowing all the sources of their data using a thorough asset inventory, understanding how critical their vulnerabilities are and the danger they pose to effectively supporting and growing the business, and completing vulnerability scans to identify risks, and remediating vulnerabilities.