As 2020 draws to a close, another flurry of significant cyber-breaches added to the bad news that swept through a particularly grim year. Early this month, for example, we learned that FireEye – one of the world’s largest cybersecurity firms –was the victim of a sophisticated attack that undermined software tools used to test the defenses of thousands of customers.
Internal systems were also hacked, apparently in pursuit of information about government clients. Experts said the attacker – likely the Russian government – could eventually leverage this data in future attacks against FireEye’s customer base, including US national security agencies.
Less than a week later, there was yet more digital pain. Apparently the same attacker breached the computer systems of the US Treasury and Commerce departments in a government-focused attack related to the FireEye intrusion, exposing up to hundreds of thousands of networks.
For years, select experts have said that cybercrime was the greatest threat to every company in the world, and it’s depressingly clear that it’s as abundant as ever. Cybersecurity technology keeps improving, but so too does the prowess of hackers. The two are essentially in a standoff – and it’s durable.
This year, a number of high-profile cyber-breaches have been aggravated by the tendency of corporations worldwide to let tens of millions of employees work from home, rather than in the office, to help protect them from the COVID-19 pandemic. This creates an uneven security layer between the corporate network and attackers, often serving as their system entry point.
And yet traditional corporate targets were also commonly penetrated once again.
Perhaps the most embarrassing breach occurred at Twitter, where hackers penetrated Twitter accounts of high profile US personalities such as Barack Obama, Elon Musk, Joe Biden and Bill Gates, reset their passwords and posted fake tweets from their accounts. Among the biggest breaches, meanwhile, was one that impacted the data of more than 5.2 million Marriott hotel guests who used the company’s loyalty application. In the first half of the year alone, 81 global companies were breached, according to Security Boulevard.
As usual, the entryway was penetrated by a myriad of different types of attacks, including, just to name a few, phishing schemes, ransomware, penetration of IoT devices, and zero-day and advanced persistent threat attacks.
In many quarters, the biggest cyber-scourge is ransomware attacks. And seriously rivaling ransomware are ubiquitous phishing attacks, which, at least according to a recent Microsoft survey of business leaders in four countries, have now become the biggest single security risk.
It’s not that corporations writ large have not been investing more in cybersecurity and, in general, doing a respectable job.
Some, for instance, have even begun studying the likes of applied cryptography, especially in the vulnerable cloud. This is the technique of enciphering and deciphering messages to maintain the privacy of computer data. Related to this is homomorphic encryption (HE), which protects data in use, as well as stored data, and has been called the Holy Grail of encryption.
This is important stuff because there is a big security gap in cloud services today. Companies routinely encrypt data kept in storage and make certain only encrypted data is transported to and from cloud storage facilities. But in order to act on this data—to, say, do a simple search or perform an analytic—both the query and the stored data must be decrypted. This creates an opportunity for an alert intruder lurking on the network to steal the data in unencrypted form.
HE and other advanced technologies are likely to become a big security plus over time. But they don’t stop breaches per se.
Companies need to know the most threatening cyberthreats because it helps them shape cybersecurity strategies and priorities. Some of the worst threats include:
+ A new generation of increasingly complex zero-day threats. These are able to surprise defenses because they carry no detectable digital signatures. According to the Ponemon Institute Study on the State of Endpoint Security Risk, zero-day attacks now account for more than a third of attacks targeting businesses. Typically, hackers penetrate inadequately secured email systems to exploit a vulnerability before developers have a chance to fix it. In this case, prevention is the best form of protection.
+ Continuing improvement of Advanced Persistent Threats. APT hackers burrow into networks and stay there for months, typically employing complex strategies to stealthily steal data right out from under the nose of a business. Again, prevention is the best form of protection. Strong defenses, such as firewalls and antivirus, are a key part of preventing APT malware from being installed on computer systems, as is training employees not to share account details and to practice safe web browsing.
+ Internal attacks. Some studies have shown that employees are responsible for more than half of attacks, often via inadvertent mistakes such as unknowingly downloading dangerous malware. To minimize risk, one helpful step companies can take is to limit the systems and IT resources users can access to the minimum required to do their job. Also helpful is revoking a user’s account access privileges once it has been compromised.
+ IoT attacks. “Smart,” inexpensive devices are ubiquitous in a myriad of applications, ranging from security cameras to Wi-Fi-enabled speakers, and they are growing at an astronomical rate. The problem is that many of these devices have mediocre security. Worse yet, IoT devices are often overlooked when it comes to applying security patches, making them easier to compromise. To help prevent attacks, companies need to create a thorough inventory of all IoT devices on their network to help keep individual device firmware up to date. This resolves exploits that have been patched by the manufacturer.
Overall, smart companies can get a good handle on their single biggest threat by following some fundamental steps. These include setting up a security strategy and running security audits on a regular basis, educating employees to focus on cybersecurity awareness, and requiring unique and strong employee passwords. Companies should also apply end-to-end encryption to all confidential files and have a strong backup policy for protection against ransomware attacks.
Bottom line, unending and increasingly sophisticated cyberattacks are a war of sorts—and no war can be won without the strongest defenses possible.