It’s that time of year again where the true holiday spirit is embodied by the checkout line up and everyone likes to put together some sort of summation Top 10 list. While we are far from the exception, we thought we’d take a “naughty/nice” approach to our list, in the spirit of the elf-stained, chubby, white-bearded guy himself.
The Naughty - Top Cyber Security Breaches of 2019
Data breaches continue to dominate the headlines and with these startling numbers, it’s no surprise. According to Norton, to date there have been 3,800 reported breaches in 2019 which exposed an estimated 4.1 billion records, an increase of 54% over 2018.
Here are some of the most startling breaches, in no particular order.Capital One - March 22/23, 2019
Considered one of the largest breaches in history, 106 million records containing customer credit card application information such as names, addresses, email addresses, self-reported income, credit scores and limits and bank balances were exposed by Paige Thompson. She exploited a misconfigured web application firewall to mine the data, costing Capital One an estimated $100-150 million USD after customer notification, providing free credit monitoring for its customers and legal action defense.Evite - February 22, 2019
100 million records were breached including customers’ names, email addresses, passwords and IP address when an unauthorized party got into an inactive data storage file that held sensitive information on Evite’s users dating from 2013 and earlier. Surprisingly, Evite claims that its customers financial and payment data was not affected, as Evite doesn’t store this information. No financial losses were reported.Canva - February 22, 2019
Canva, a design website, experienced a security breach in which data of roughly 139 million users was exfiltrated. The exposed data included real names, usernames, addresses and geographical information, as well as password hashes for some users.BioStar 2 - August 5, 2019
This suprema-based security platform had 28 million records breached, affecting thousands of companies who use the service and over 1 million people across the globe. Vpnmentor researchers discovered an unecrypted database that contained fingerprint data, facial recognition data, face photos of users, plain text usernames and passwords, logs of facility access, security levels and clearance and even personal details of staff.DoorDash - September 26, 2019
An app-based food-delivery service, DoorDash revealed an unauthorized third party breach that potentially affected 4.9 million people. User and driver account information such as names, email addresses, delivery addresses, phone numbers, and the last four digits of payment cards and bank accounts were exposed.WhatsApp - May 2019
According to the Financial Times, Israel’s NSO group installed surveillance technology on the phones of WhatsApp users who answered their phones through the app, which they of course denied. While WhatsApp has over 1.5 billion users, it is still unclear as to how many were actually affected.Apple iPhone - 2017 to August, 2019
Google Project Zero researchers discovered malicious websites that were used to infiltrate iPhones, making every iPhone potentially vulnerable to exposing passwords, messages and location data. It is suspected that this was launched by the Chinese government in an attempt to monitor Uighur Muslims. Apple has been very tight-lipped about the potential breach numbers, stating that the problem was patched within 10 days of its discovery.Miracle Systems - September, 2019
Working with the US Department of Transportation, the National Institutes of Health and, yikes, the US Department of Homeland Security, Miracle Systems was hacked and several of its systems were put up for sale on the Dark Web. As reported by the Business Insider, Miracle Systems was hit by the malware strain known as Emotet which is typically distributed through email attachments.Microsoft Visual Studio - April, 2019
Hackers allegedly broke into Microsoft’s Visual Studio and seeded backdoors into at least three video game companies that use the tool. Wired reported that the group responsible is likely the Chinese hacker collective known as Barium and as many as 92,000 computers were running malicious versions of the affected video games. The attack is known as a supply chain hack, where hackers seed malicious code into a company’s software that is in turn distributed to clients. This is a questionable attack, as the evidence leans more to third-party sites being infected as opposed to Microsoft itself.Fortnite Cheaters - August, 2019
Users of this massively popular online game were hit with a ransomware attack that encrypted files on the users’ computers and demanded payment for them to be unlocked. It was obtained by players downloading third-party software to gain an unfair advantage over other players, prompting Fortnite to respond, “Don’t download third-party applications to cheat.” Pretty solid advice across the board.
The Nice - Top Cyber Security Innovations of 2019
As quickly as hackers and malicious actors are coming up with ways to illegally obtain data, cyber warriors are coming up with ways to shore up systems and better protect sensitive data. Here are some of the top innovations that happened in 2019 and will happen in 2020.
GDPR and Tightening Regulations - while GDPR (and other regulatory laws coming into play) has not halted cyber criminal activity per se, its strict regulations, compliance and transparency laws has not only raised public awareness, but has forced companies to take a harder stance on data protection and their overall security architecture to avoid the hefty fines for non-compliance.
Deep Learning Evolution - Deep learning encompasses a number of technologies, most notably artificial intelligence and machine learning. It focuses on anomalous behavior by looking at entities as opposed to users. Recent developments in machine-learning models now enable us to look at the various entities that exist across the enterprise at the micro to the macro levels at line speed. The more the learning database expands, the more intuitive the DL systems get, giving us a higher recognition factor of attacks at a faster detection rate.
IoT Device Hardening - Long tarnished for their hackability ease, the tightening of security on Iot devices, starting in 2020, will require all IoT devices to be sold already set up with unique passwords. It’s a start.
Hardware for Authentication - By combining a variety of hardware-enhanced factors at the same time to validate a user’s identity, Intel has built on previous efforts to dedicate a portion of the chipset for security functions to make a device part of the authentication process. View a demo of their latest attempt here.
Improved User Behavior Analytics - Compromised accounts can be flagged in systems that employ user behavior analytics (UBA). The technology uses big data analytics to identify anomalous behavior by a user.
Emerging Data Loss Prevention Technology - A key to data loss prevention is technological improvements in areas such as encryption and tokenization. They can protect data down to field and subfield levels, potentially benefiting an enterprise in a number of ways, like foiling cyber attackers attempts to monetize data and safe data movement across an enterprise’s infrastructure. Techradar has a good article that goes deeper into the future of DLP.
Cloud Security Refinements - As cloud storage becomes the norm, more approaches to security that are built specifically in and for the cloud will appear, such as stronger virtualized security hardware, firewalls, and intrusion detection and prevention systems. Cloud providers are dedicated to start providing more robust tools for keeping cloud users’ data safe.
Of course, overall general awareness, education and good cyber hygiene - particularly with malware, phishing and ransomware attacks initiated via email - will always be the best first line of defense. The more we realize that security breaches and data compromise CAN happen to all of us, the more we can even the playing field. Or, as Bruce Schneier succinctly puts it, “Security is a process, not a product.”