There have been more than 600 data breaches this year, so people who want to pick out the most serious incidents have plenty to choose from. It’s not simply a case of finding the breaches involving the highest number of stolen records, because a breach compromising names and email addresses isn’t the same as a breach compromising payment card information. Besides, infrastructural damage and knock-on effects can be just as costly – if not more so – than stolen information.
Picking out the top incidents or trends is therefore tricky, but Wired recently made the case for the following to be atop our list of biggest concerns.
Russian grid hacking
Rumours of state-sponsored attackers infiltrating power suppliers dates back to at least 2016, when the US Department of Homeland Security confirmed that malware used to attack the Vermont-based Burlington Electric Department was associated with Russian civilian and military intelligence agencies.
Following this discovery, Vermont Representative Peter Welch said the attack evidenced Russia’s “systematic, relentless, predatory” hacking.
Many experts believe this is just the tip of the iceberg and that similar attacks are still taking place. Russia has long been assumed as the perpetrators (because everybody points the finger at Russia or North Korea), but in March 2018 the White House publicly blamed Russia for grid hacking.
“Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond,” writes Wired.
Attacks on universities
In March 2018, the US Department of Justice indicted nine Iranian hackers for allegedly attacking more than 300 universities across the globe, as well as several other public organisations and 47 private ones.
The criminals are thought to have used spear phishing attacks to trick university lecturers and other staff into clicking malicious links and providing network login credentials. The attack had a shockingly high success rate, with 8,000 of the 100,000 targets handing over their details. Almost half (3,768) of the victims were based in US institutions.
The Department of Justice says the compromised information – which is almost entirely intellectual property – is worth $3 billion (about €2.5 billion). Intellectual property is rarely targeted by criminals, because it has limited use and few people would be interested in purchasing it, but the number of attacks involving IP has risen dramatically in the past few years.
In September 2017, the Times reported that intellectual property theft at British universities had doubled since the start of 2016. Carsten Maple, director of cyber security research at Warwick University, said criminals could make “a very good business case” for hacking universities because of the low costs incurred and their poor digital defences.
Dr Anton Grashion, head of security practice at Cylance, agreed, telling the BBC that the open networks many universities run make them a “tempting and easily accessible” target.
He added: “It’s no surprise that universities are suffering from an increase in security breaches. Their network environments are some of the most challenging networks to manage, with usually smaller security and staffing budgets.”
Breaches of all forms continue to rise in 2018, but Wired says we should be particularly concerned about data exposure – a type of breach in which an organisation inadvertently leaves information publicly accessible. This often occurs when databases are misconfigured or aren’t password-protected.
In June 2018, security researcher Vinny Troia discovered an exposed database belonging to US-based marketing and data aggregation organisation Exactis. It contained almost 340 million records pertaining to US citizens, with phone numbers, home addresses, email addresses and other “highly personal characteristics” compromised. The database also included information about millions of organisations.
Exactis fixed the problem as soon as it was told about it, but it’s not known how long the information was exposed. Anyone who came across it before Troia could have misappropriated the data and used it for malicious purposes.
Tackling cyber crime
We are committed to helping organisations stay secure and face whatever problems come their way. There are many steps you can take to prepare yourself, from adopting information security best practices to putting in place measures to respond to incidents.
The trends identified by Wired suggest that one of the most important things organisations should be doing is looking for flaws in their systems. This process, known as penetration testing, involves an expert going through an organisation’s applications, systems and networks in the same way as a criminal hacker would, and letting the organisation know what vulnerabilities they find.
Penetration tests enable organisations to identify and address security weaknesses promptly. They are particularly helpful when developing products and services, as organisations can fix problems before criminals have a chance to exploit them.
IT Governance is a CREST-accredited provider of penetration tests. We offer a range of services to help organisations of all sizes manage their cyber security strategies.