Over the past year, there have been a number of disturbing developments with regards to data breaches. Not only have data breaches become more frequent, but their impact has become greater — not just in the sheer volume of information or assets stolen, but in the very nature of what hackers are targeting. The extremely sensitive data lost in the White House and Office of Personnel Management breaches are prime examples. Unfortunately, given the successful breaches of high-value targets in 2015, we can be sure that 2016 will only get worse.
With this horrifying direction and the gravity of what’s at stake, it would be a fair expectation that most enterprises should be seriously looking at how their security needs to change. Obviously, traditional security is of little value when it comes to stopping a data breach. Intruders can easily elude preventative security — generally by compromising a single user device or account — and furtively conduct their business inside a network for months before being discovered.
A big part of the problem is that security organizations are still focused on preventative security — looking for a silver bullet that will keep an attacker out of their networks in the first place. Despite a Gartner recommendation that organizations shift security efforts toward the detection of network intruders and the emergence of promising new behavioral analytic tools and security strategies, well under 1 percent of enterprises have the ability to find a post-intrusion network attacker. Cyber criminals continue to have the potential for unimpeded, long-term success.
So how will attacks change in 2016? In this slideshow, David Thompson, Sr. Director of Product Management, LightCyber, has identified data breach trends we can expect to see in 2016.
2016 Data Breach Predictions
Click through for 2016 data breach trends, as identified by David Thompson, Sr. Director of Product Management, LightCyber.
Investment Info
Data breaches will increasingly be used to gain investment information.
Most data breaches have resulted in the loss of money or other financial instruments and identity details, such as account numbers, passwords, account balances and personal identity details. Few have involved the loss of material-confidential information that could give an investor an important edge in buying or selling stock or other investments. While this was an element in the massive breach of J.P. Morgan Chase — where insiders allegedly made off with more than $100 million — it has been fairly uncommon.
In 2015, two major newswire distribution services — plus a third smaller service — suffered a data breach. Typically public companies upload press releases detailing their upcoming earnings announcement or merger and acquisition announcements to such a newswire service in advance of their public announcement. An attacker could potentially get access to these files to make a substantial amount of money by acting on the information before it is made public. This actually happened, giving financial windfall to 30 or more individuals, including a hedge fund manager. At least two of the newswire services suffered attacks dating back five years, giving criminals access to over 150,000 press releases during that period. Because the services lacked the ability to effectively detect active network attackers, the criminals could carry out their schemes without fear of being seen.
Health Care Data
Health care companies will continue to be the top target for a data breach.
According to various reports, including the recent Data Breach Index for 1H 2015 from Gemalto, health care holds the dubious distinction for having the highest number of data breach incidents compared to other industries. Ponemon’s Cost of Data Breach Study report confirms that the cost per record stolen is higher in health care than any other industry. Health care data still commands a 10x premium over financial and other personal information. At the same time, most health care companies lack the ability to find a network attacker that has circumvented preventative security and is in the process of exploring an unfamiliar network, gaining additional points of control and getting closer to Protected Health Information (PHI) and Personal Identity Information (PII) records. Even data encryption, greater network segmentation and additional authentication controls are unlikely to impede network attackers, as they can steal valid credentials that give them access to critical data to carry out their work. These network attacks will continue to occur in 2016 and health care will likely continue to represent the top industry to be victimized by data breaches.
Leapfrogging
More data breaches will leverage account leapfrogging.
Perhaps most famously chronicled in the case of the White House and Office of Personnel Management (OPM) network attacks, leapfrogging is where cyber criminals penetrate the network or a personal computing device of one organization to gain valid credentialed access to another organization. In the case of OPM, it appears that attackers were able to penetrate the government agency’s network by first compromising at least one computer at KeyPoint Government Solutions, a provider of investigative services for the U.S. government. From the attack on the government contractor in December 2014, attackers were able to use valid credentials to gain access to the OPM that went undiscovered until April 2015. In the case of the White House, it is believed that attackers first penetrated the State Department to then get access to the White House.
Most data breaches occur as a result of a network attack lasting weeks, months or even years. Attackers generally compromise a user’s computer or network account through malware, spear phishing or social networking. Once a cyber criminal has access to just a single computing device or account, they can get network access and begin to systematically explore the unfamiliar network and gain additional points of control.
In 2016, we will see more data-breach leapfrogging, as cyber criminals compromise an initial target to gain access to a primary one.
Physical Damage
There will be an increased volume of targeted attacks with damage as the primary objective.
Perhaps the most famous account of a network attack that resulted in actual damage to computers and other resources was the one at Sony. Here, besides the headline-grabbing news of data and assets ex-filtrated and released to the world, the company reeled from the carnage of attackers securely deleting everything on 3,262 of Sony’s 6,797 PCs and 837 of its 1,555 servers. This brought all business operations to a standstill, and the company had to resort to pen and paper, faxing and other “old school” means to try to get things done. Each of those computers and servers that had data wiped also had key start-up software removed or destroyed to render the computers useless without being completely rebuilt. This further ensured that the business would be impaired for weeks or months. The custom malware used also added a threatening screen to each employee computer.
Whether sponsored by a foreign country or a group of malcontents, network attacks with the primary purpose of inflicting damage will likely become more common in the coming year.
Email Shaming
Email shaming: Increased targeted attacks with defamation as the objective.
Common to the network attacks on Sony and, later, the infamous Hacking Team in Italy, company emails were released to the public to the shame and embarrassment of each business. In the case of Sony, the attackers released emails on public sites, revealing confidential and sensitive information that is still creating waves and ill will. The cyber criminals focused on emails from the top five execs from Sony studios. The postings were brought to the attention of press.
In the case of Hacking Team, over 400GB of company email, passwords, internal documents and source code were leaked through a torrent posted via the company’s own Twitter handle. In addition, the attackers used their access to the Hacking Team’s Twitter account for over 12 hours, posting screenshots of internal emails and other items.
In the coming year, there will likely be more activities that are intended to shame or damage the organization that suffers a network attack.
