Celebrating Security Every Day of the Year

By Destiny Bertucci, Head Geek^™, SolarWinds

Did you know that Safer Internet Day is celebrated during the month of February, to remind us of the importance of data security? It’s a worthy holiday, but I’d like to remind you that securing your infrastructure and data should be a focal point for both you and your IT department not just for one day, but all year. There’s perhaps no better evidence of this fact than taking a look back at some of the most prominent security incidents of 2016, which ended up being a very eventful year in cybersecurity.

Before we get started, I’d also like to offer a few best practices from SolarWinds that, when applied alongside knowledge of recent security trends and attacks, will help bring you one step closer to a safer internet every day.

– Plan and document security policies and rules

– Institute an incident response plan

– Employ an arsenal of tools to monitor and help prevent attacks in real-time, including anti-malware, data loss prevention, security information and event management (SIEM), and patch management

– Know the baseline normal performance across your environment; set up alerts for increases in bandwidth usage, CPU, memory, volume, and interface utilization

– Establish a set password expiration/rotation policy

– Consider the security impact of new devices like wearables and Internet of Things (IoT) devices that may be connecting to your corporate network, and educate end-users appropriately

– Restrict administrator rights on all systems, if possible

– Educate end-users on phishing and social engineering scams, and discuss the impact of security breaches with them

Dyn

The Dyn^® DDoS attack that occurred in October 2016 left many customers without service. The pervasiveness of IoT-enabled devices is largely to blame, as unprotected devices are easy entry points to the internal networks they connect to. The attackers installed malware on IoT devices that connected to Dyn’s servers (webcams, printers, etc.), which then inundated the vendor with requests from tens of millions of IP addresses and resulted in disrupted service. Much of the East Coast of the United States was compromised during the attack, which exposed serious vulnerabilities in the rapidly expanding ecosystem of IoT devices. One of the biggest and most obvious takeaways after the attack was the need for stronger standards and protocols for IoT security.

Yahoo! (Part 1)

In September 2016, Yahoo! ^® announced that in late 2014, it had fallen victim to a data breach that resulted in the loss of at least 500 million accounts. At the time, this was the largest breach of a single site in history. Stolen information included e-mail addresses, passwords, full user names, dates of birth, and telephone numbers.

Yahoo! (Part 2)

Less than three months after disclosing its first data breach, Yahoo! announced a second breach that was discovered while investigating the 2014 breach. The second reported breach took place in 2013, and may have compromised over 1 billion Yahoo! accounts and associated personal data—a breach three times as big as all major retail breaches in the past decade combined. Authorities are still investigating how the 2013 breach was achieved. In the meantime, all Yahoo! users have been encouraged to change their account password, as well as any other online accounts with the same login credentials, and switch to Yahoo! Account Key, a tool that authenticates a user’s identity with a mobile phone rather than a password.

Snapchat

Early in 2016, Snapchat^® revealed that its stored information regarding current and past employees had been compromised in a phishing incident. This announcement came just two years after a massive amount of their data was leaked in late 2013. A hacker posed as Snapchat CEO, Evan Spiegel, and requested sensitive information like Social Security numbers and payroll information. Unfortunately, the Snapchat internal security system and employees were both unable to detect the scam until the information had been shared. After reporting the incident to the FBI, Snapchat was able to regain control of its employee data.

University of Central Florida

In February 2016, the University of Central Florida discovered a breach of the school’s computer network that had compromised the personal information of current and former students and faculty. The data loss included names, Social Security numbers, student ID numbers, and registration information. Although the cybercriminals who perpetrated the attack have yet to be identified, the university has since begun a program to enhance user security on its computer networks, including expanding security information and training.

Cisco

Imagine merely applying for a job and then suddenly finding yourself the potential victim of a data breach. That’s exactly what happened in late 2016, after an incorrect security setting on the mobile version of Cisco’s Professional Careers website created a privacy hole that exposed the personal information of job seekers. The security vulnerability exposed sensitive data including names, addresses, emails, phone numbers, usernames, passwords, answers to security questions, resumes, and cover letters. In response, Cisco^® said it reset user passwords and disabled the ability to access the site via security questions.

U.S. Department of Justice

In early 2016, the U.S. Department of Justice (DOJ) was subjected to a devastating data breach that led to the release of personal information from over 30,000 employees of the FBI and Department of Homeland Security. This leak included names, potentially classified job titles, and contact information. Ultimately, the hacker was able to infiltrate a DOJ employee’s email and from there, social engineered their way to the DOJ intranet and associated databases via an unsuspecting aide, stealing 200 GB of data (and allegedly had access to 1 TB of data).

LinkedIn and Myspace

The 2016 LinkedIn^® breach expanded on the 6.5 million encrypted passwords that were exposed and posted online after a breach in 2012. The more recent attack allegedly included 167 million LinkedIn accounts. The problem was extremely pervasive, as not only did LinkedIn’s outdated security policy mean the encrypted passwords were easier to unscramble, but many end-users often reuse passwords, thus offering attackers potential access to much more sensitive data.

Just one week later, it was revealed that 360 million user emails and passwords were stolen from MySpace^®.

21^st Century Oncology

In March 2016, 21^st Century Oncology announced that 2.2 million of its patients had personal information stolen as a result of a data breach in 2015. The patients, impacted across all 50 states, had their names, Social Security numbers, physician names, diagnoses, treatment data, and insurance information compromised, although there is no evidence that the compromised information has been used in any way. Following the incident, the organization has taken additional steps to enhance internal security protocols and help prevent a similar incident in the future.

Despite this, at least 13 separate federal class-action lawsuits have been filed against 21^st Century Oncology in response to the data breach. According to the Department of Health and Human Services, “the 21st Century Oncology breach was the largest such data security issue of 2016 involving 500 or more patients.”