No longer just the concern of IT, cybersecurity is the bad boy headliner that dominates centerstage and all stages beyond. Teri Robinson reports.
At the recent Lonestar Blues and Heritage Festival in, where else, Texas, fans bounced between the main stage where headliners strutted their stuff and the porch stage where more modest acts plucked their guitars – and they all had one thing in common, blues, once relegated outside the mainstream, permeated everything.
That’s how it is with cybersecurity. It’s now the headliner on the main stage and it fills the side stages, too, holding the crowd in its thrall, with hot licks and tricks. Whether you scurry or stroll leisurely from one stage to the next depends entirely upon your security posture.
“Cybersecurity is everyone’s problem, and the current state is troubling. According to Gartner, 99 percent of breaches exploit known infrastructure vulnerabilities,” says Thomas Hatch, CTO and cofounder of SaltStack. “If this isn’t indicative of a pervasive systematic problem with our cybersecurity efforts, I don’t know what is.”
“Cybersecurity made headlines for all the wrong reasons in 2019. There seemed to be more thefts and breaches involving digital identity than ever before,” says Shahrokh Shahidzadeh, CEO at Acceptto. “Even trusted technologies like MFA generated negatives headlines.”
These following acts took the stage during the past year.
Open servers
2019 may have left you wondering, yet again, if anyone at all bothered to secure their AWS S3 buckets or any other cloud-based database for that matter. Just recently, an unsecured Elasticsearch database, uncovered by security researcher Bob Diachenko, exposed the account information of about 7.5 million Adobe Creative Cloud users.
And researchers Noam Rotem and Ran Locar from vpnMentor claimed to have found an open Elasticsearch database containing five million records related to 1.5 million Freedom Mobile customers, though those figures were disputed by the telecommunications company.
The exposed files contained email address, home and mobile phone numbers, home addresses, dates of birth, customer types, IP addresses connected to payment methods and encrypted credit card and CVV numbers.
Whether it was a credit firm, a subscription television company or online casinos, no one, it seems, was immune from the folly of not misconfiguring servers and databases in the cloud.
“We’ve learned a lot about infrastructure security over the past year. It is well known that misconfigurations are an ever present danger,” says James Condon, director of research at Lacework. “Hardly a week went by in 2019 without learning of a new data breach coming from something like an internet accessible Elasticsearch cluster with no authentication, containing highly sensitive data.”
And for a look at the top stories overall for 2019…
Ransomware
If cybersecurity was indeed like a music festival, then ransomware would be its Mick Jagger, brazenly strutting across the stage tongue out, an in-your-face reminder that your organization – particularly if you’re a municipality or hospital – could be the next to fall prey.
“In 2019, local and state governments prove to be low-hanging fruit for ransomware attacks and there seems to be no end in sight,” says Mickey Bresman, CEO, Semperis. “The recent influx of city ransomware payouts sends a strong message that public state institutions are woefully unprepared to defend themselves from cybercrime, and attackers are taking notice. Surprisingly it’s not only the major cities like Baltimore, Atlanta or Dallas that are being attacked,” but also “lesser known” cities like Riviera Beach and Lake City in Florida.
Noting that since 2015, “ransomware has evolved into a billion-dollar business” with the ransom pricetag “strategically weighed to be the most affordable option for victims based on their specific circumstances,” Bresman said, “The alternative to paying the ransom is to rebuild the entire network from scratch, which costs weeks of downtime and risks permanent loss of sensitive data.”
And pay up is what many victims did. Unlike Atlanta and Baltimore, Riviera Beach and Lake City, for instance, “paid out over $500,000 in ransom to criminal groups with untraceable currency,” said Bresman.
That’s a sign of a shifting view toward mitigating a ransomware attack. “A few years ago, if a company was locked out of its data by hackers, it wasn’t necessarily inclined to pay the ransom demand. That’s because there used to a ‘silver bullet,’ in that if the company was doing regular backups of its systems, it could restore its data,” says Robert Rosenzweig, vice president and national cyber risk practice leader at Risk Strategies.
Now more complex malware gets hackers into the production environment as well as the backup system to deploy the ransomware encryption, meaning there’s no longer a perfect mitigating control.
While the U.S. Council of Mayors this year voted on a resolution NOT to pay ransom, any competent business advisor would likely tell a client that spending $76,000 to fend off an incident that could cost that organizations millions would be money well spent, but that calculus is more complicated when the initial outlay is not to pay for a cybersecurity preventative measure, but rather for a cybercriminal’s ransom demand.
“The true price concerns public safety,” said Bresman. “Since when is it O.K. to negotiate with terrorists? City governments could be funding the next global cyber assault. What is the moral decision to make when public safety is at stake?”
SC Media’s wrap up for all things 2019
Privacy
While organizations may have found it difficult to keep private information private, privacy was a mainstage act in 2019, culminating in a showstopper from California, which passed the robust, aggressive California Consumer Privacy Act (CCPA). The CCPA not only puts strict privacy requirements in place, like its GDPR sister, it levies hefty fines on violators.
Fueled by a spate of state privacy bills, including CCPA and some eye-popping, difficult-to-ignore privacy violations, it seems the U.S. Congress is finally motivated and engaged. And that puts a national law, on par with Europe’s GDPR, within spittin’ distance, as they say down South.
“When we look back, 2019 will be considered the year of the dawn of U.S. Internet privacy laws,” says Dov Goldman, director of risk and compliance at Panorays. “During the year a number of state data privacy laws were passed or went into effect in California, Nevada and Vermont. There are other similar laws in the works across the country, and it’s reasonable to expect that in 2020, we will see a few others passed.”
But Congress has led us down this path before only to cave at the last minute to inertia or political squabbling. This time, with a stringent state law on the books in California, it could be different, privacy advocates contend. “The tectonic plates are coming together,” says J. Trevor Hughes, president of the International Association of Privacy Professionals (IAPP). “Whether that creates an earthquake or a volcano remains to be seen.”
Nation-state actors up their game
Talk about pervasive. Nation-state attacks, whether on a government entity or a private sector company, are commonplace. Once shocking, no one blinks an eye these days when operatives from Russia or China or North Korea or even Iran infiltrate an organization’s systems. From hacks on antidoping agencies to a ransom denial of service (RDoS) attacks to influence campaigns on social media, Russian continues its assault on government and private entities around the world, particularly in the U.S. and other Western countries.
In a particular nefarious and sneaky effort, the Russian hacker group Turla disguised itself as Iranians and stole state secrets from multiple countries, authorities from the U.S. and U.K.
In an 18-month campaign, Turla, aka Uroboros, “acquired access to Iranian tools and the ability to identify and exploit them to further their own aims,” Paul Chichester, director of operations at GCHQ’s National Cyber Security Centre, said in a release. They were able to infiltrate systems of organizations located in more than 35 countries.
The Russian hackers, in some cases, seemed to use an IP address associated with Iran’s APT34, or OilRig, group to deploy an implant, which they later accessed from Turla, or Venomous Bear, which a joint advisory from the NCSC and the National Security Agency (NSA) said suggested “Turla effectively took control of victims previously compromised by a different actor.”
Other implants “had previously been connected to by Virtual Private Server (VPS) IP addresses associated in the open source cybersecurity community with Iranian APT groups,” the advisory said.
Once Turla had acquired tools and data needed to use them, it “tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims,” the security agencies said. “Turla sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold. The focus of this activity from Turla was largely in the Middle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap.”
An analysis of Turla’s behavior in scanning for Iranian backdoors, as well as the timeline, suggest that while the Neuron and Nautilus tools used by the group originated in Iran, the advisory said. “Turla were using these tools and accesses independently to further their own intelligence requirements” with the scanning for backdoor shells indicating the Russian hackers “did not have full knowledge of where they were deployed.”
Big fines
Robert Cattanach, partner at law firm Dorsey & Whitney, said “federal and state regulators have lost all patience with companies whose lax security measures have compromised extremely sensitive consumer information.”
Indeed, the Federal Trade Commission (FTC) walloped Equifax with a $330 million to $425 million fine that will go into a restitution fund for victims in a settlement over a 2017 breach that exposed the personal information of 148 million people.
That fine followed a $5 billion fine that the commission laid on Facebook in the wake of the Cambridge Analytica scandal after it found the social media giant violated a 2011 consent decree.
“This record-breaking fine highlights the importance of data stewardship in the digital age. The FTC has put all companies on notice that they must safeguard personal information,” said Center for Democracy & Technology (CDT) former President and CEO Nuala O’Connor.
China, too, upped its game. For instance, Chinese-speaking APT group, Calypso, has actively been targeting state institutions in six countries, hacking systems and injecting a program to gain access to internal networks, according to a report from researchers at Positive Technologies Expert Security Center.
The researchers found the hackers either exploited the remote code execution vulnerability MS17-010 or used stolen credentials.
“These attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,” says Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies. “The group used publicly available utilities and exploit tools, such as SysInternals, Mimikatz and EternalRomance. Using these widely available tools, the attackers infected computers on the organization’s LAN and stole confidential data.”
Cyberattacks continue to be the great equalizer for nation-states like North Korea and Iran that can’t afford the military necessary to launch effective kinetic attacks on enemies.
Bots
It would remiss to let 2019 slip from view without mentioning the proliferation and growing savvy of bots. Malicious bots account for about 30 percent of all traffic on the internet, Cequence Security CMO Franklyn Jones told SC Media earlier this year. Tiffany Olson Kleemann, CEO, Distil Networks, calls them an existential threat to the U.S. economy.
“A scary 42 percent of all internet traffic wasn’t human – it was bots,” Kleeman writes. “Of that amount, 22 percent were bad bots. The remaining 20 percent were good bots that deliver useful services such as search engine indexing, stock trade execution, news updates and weather alerts.”
She notes that “bad bot volume increased nearly 10 percent last year and there’s evidence they are becoming more sophisticated – for example, producing mouse movements and clicks that fool even advanced detection methods or using malware installed within browsers to connect to sites.”
Consider that Akamai observed attackers using a technique dubbed, Cipher Stunting, or using advanced methods to randomize SSL/TLS signatures in an attempt to evade detection attempts.
“In 2019 we observed increasing sophistication in bot characteristics, such as new types of carding bots. Carding is a brute force attack on a retailer’s website using stolen credit cards or gift cards,” said Safruti. “A single breach of CapitalOne in August 2019 exposed 100 million credit card numbers. With 4.1 billion records breached in the first six months of 2019, a 52 percent increase from the same period in 2018, it is clear that the supply of stolen credit cards is only increasing and we predict that carding attacks will further surge in number and sophistication in 2020.”
Election security
Elections couldn’t catch a break, even in what was pretty much an off year and with the 2020 presidential contest bearing down, concerns over the integrity of U.S. elections looms large.
“Elections are approaching. Our system is vulnerable to attacks. Hackers from Russia could even get into those servers and literally change the numbers. How bad is that? Doomsday bad,” says Stella.
Not that the public would know it by looking at Senate where numerous election security-centric bills have either died on the vine or have been shelved to an undetermined later date.
“So you’d think that at least on this issue, our politicians would set aside partisan divisions and do the right thing – set up rules and allocate funds to ensure our elections, the very foundation of our democracy, aren’t tainted,” says Pierluigi Stella, CTO Network Box USA. “The sheer idea that the results might be fudged by hackers is already bad enough. But think about the psychological impact of the population knowing their vote might be ‘useless’ because hackers can change it. How many of us would be tempted to stay home, not vote, give up on the very thing that guarantees our liberties? How impactful would that be? Of history changing proportions!”
Lawmakers like Rep. Ted Lieu, D-Calif., who has introduced numerous bills, are frustrated and alarmed. At Def Con Lieu told reporters Senate Majority Leader Mitch McConnell should bring the bills to a vote.
While Stella doesn’t have an answer to “what the technical solution needs to be right now,” he does “‘hope’” that this issue stays relevant, for the right reasons – because we’re trying to do something to resolve it.”
The past informs the future
Goodbye, Yellow Brick Road? Hardly. Don’t expect any of the cybersecurity acts from 2019 to embark on a farewell tour a la Elton John. In fact, their importance and affect will likely amplify in 2020.
“The technology and security adoptions in 2019 have set the stage for further security enablement in 2020,” says Condon. “Just as technology and automation has empowered developers and applications, it too will empower security. Next year we will see the difficult and complex security issues addressed with automation. This will extend from early enforcement before deployment, to continuous security of infrastructure, to automating incident response at runtime.”
Condon says 2020 will find “auditing systems move from using a pull system to report misconfigurations, to real time alerting systems that can fix the problem right away.” As a result, he expects exposed storage buckets to “immediately be made private” and fixes made to overly permissive network firewall policies.
“Servers not intended to be exposed to the internet will automatically be moved to a private subnet,” Condon says, and “appropriate logging will be automatically enabled when new infrastructure is created.”
This year’s ransomware attacks don’t bode well for 2020. “The attack on Texas municipalities, preceded by a similar attack in Florida, is a clear sign of things to come,” says Stella. “Our small cities (and one must wonder if only the small ones) are ill prepared against any form of threat. They aren’t ready to combat what hackers are hurtling their way.”
In fact, “our cities are a softbelly hackers have just discovered,” says Stella. “And since some of the cities seem willing to pay to get their data back, I’m pretty certain hackers will continue to knock on this door.”
He calls for the industry to put a “high focus” on a trio of issues in response. “Our local governments aren’t remotely prepared for what hackers are about to throw at them; should we pay for data when we get a ransomware attack?” Stella says. And finally, “our governing bodies can’t seem to get along even when it comes to protecting our democracy (the very thing we elected them to do).”
Fending off and surviving ransomware attacks may require a shift in focus. “To avoid further ransom payouts in 2020, recovery strategies must be efficient and affordable, especially for local and state governments that are already resource-strapped,” says Semperis CEO Mickey Bresman. “As ransomware attacks continue to evolve and bypass security measures, the focus needs to be on recovery. Historically, prevention and detection have been the main defenses against malware, but for ransomware we’ve already shown these approaches are only moderately effective. Recreating lost data is usually impossible or impractical.”
The Magecart attacks of 2019 have bearing on security in the year to come. “We predict that Magecart attacks will evolve in methods of infection and in tasks, including collecting more data such as username/password to execute large-scale ATO attacks, and infecting applications using drive-by, shared and free networks,” says Safruti. “With regulators cracking the whip and new regulations like the California Consumer Privacy Act (CCPA) coming soon, this pervasive client-side blind side can’t be ignored.”
Privacy will continue to grab the spotlight, with even more prominence. “The big 2020 data security story will likely be the enforcement of these new laws,” says Goldman. “As we saw clearly with GDPR, it will be some time before local regulators have the resources and the know-how to enforce them. However, given the political value and potential financial windfall from high-profile enforcements, there is no doubt that funding will materialize and investigators will be hard at work seeking and investigating juicy targets.”
But a weaker federal privacy statute that preempts state laws could throw “a wrench in the works,” Goldman says. “The internet giants are feverishly lobbying for just such a national law, as it would simplify compliance.”
The line-up for 2020 is far from being set and acts are likely to be added as the year unfolds, but it promises to be a heckuva show. Now, give me a “C,” give me a “Y,” give me a “B”…
From the December 2019/January 2020 Reboot Issue of SC Media
D5 Creation