Major IT Security Lessons Learned From 2017

IT Security

George Santayana famously observed that: “Those who cannot remember the past are condemned to repeat it.”  In a year where data breaches escalated, and cyber-criminals found yet more ways to infiltrate the enterprise network, this quote came to mind. So, as 2017 came and went let’s look back over the year and reflect and evaluate past events in cyber security, and understand how they happened, so that we can hopefully prevent them from happening again in 2018.

Data Breaches Continue To Happen

As I have already alluded to, data breaches increased in number and severity over the past year. People may have become desensitised to the news, but the number of personal records stolen or lost is staggering. In 2017 alone Uber, Amazon, the US Government, Equifax and Yahoo – to name just a few – all experienced breaches, and there seemed to be another high profile case every month. Investigating and remediating these incidents is costly, with the latest estimates placing the cost of the Equifax breach at $110million alone.

Additionally, we saw simple configuration mistakes leading to breaches in Amazon Web Services. Financial publishing firm Dow Jones & Company and military intelligence agency, INSCOM, for example, left their Amazon S3 buckets accessible and available to any AWS user.

Scrambling For GDPR

2017 saw businesses scrambling to gear up for the General Data Protection Regulation (GDPR) which will come into force in May 2018. It will apply to organisations that are based in or operate across the EU, or which have operations, customers, suppliers or partners within the EU.

GDPR can fine organisations if they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 72 hours. The fine can be up to €20m, or 4% of the firm’s annual turnover – whichever is greater – which clearly gives regulators a very large stick to use on companies that do not comply.

What is yet to be seen is how the European regulators decide to exercise their legal powers. Come May 25th we might see investigations and fines handed down to any company that loses personal records, and we could see jurisdiction fights as European regulators try to fine businesses that are based in the US. Equally, the threat of large penalties may not be realised: it will be interesting to see how it all plays out.

IoT & The Bots

Throughout 2017, attacks on IoT systems were rife, and I believe they will only increase in 2018. At the heart of many of these attacks were Botnets, which were deployed to hundreds of thousands of IoT devices. In 2017 we saw new variants of the Mirai botnet, including Reaper, and new botnets like Satori, all of which specifically targeted IoT devices.

By increasingly allowing IoT devices onto their enterprise network, enterprises are also offering an open back door for bot attacks. Worryingly, recent estimates suggest that up to 75% of organisations globally are infected by bots, and with IoT devices set to increase, we certainly haven’t seen the worst of it yet.

Indeed, Gartner estimates that 8.4 billion devices were connected to the internet in 2017, and a further 2.8billion will be connected in 2018. These new IoT devices usually have little to no security controls built in, so every additional internet controlled thermostat, door lock, vending machine, air conditioning unit that goes online is another attack vector available to attackers.

To prevent bots working their way onto your enterprise networks, make sure to use up-to-date anti-malware and implement layered defenses to limit their lateral movement if they do manage to infiltrate the network. Additionally, next-generation firewalls can monitor network traffic and look for suspicious activity, block suspicious traffic and cut off from their command and control centers. Intelligent network segmentation, separating IoT devices from the rest of the network, will also help to mitigate risk.

Ransomware Is Here To Stay

2017 was also the first year that businesses globally felt the full force of major ransomware attacks. WannaCry impacted businesses and public services across the globe, Cerber convinced many victims to pay up to unlock their encrypted files and NotPetya, claimed many victims including US based pharmaceutical giant Merck, causing at least $300 million of damage.

Threatened by the loss of potentially sensitive files that may not be backed up, some businesses have been paying the criminals’ ransom demands. But of course, paying the attackers not only funds criminal activity, it fuels further attacks. So, ransomware is far from behind us.

As with bots, there are numerous security best practices that can prevent, or at least greatly reduce, the impact of the next ransomware attack, including segmenting the network, regular data backups, patching, and security awareness training for employees.

The reality is that data breaches, botnets, ransomware and human errors won’t be going away anytime soon, and organisation must remain vigilant. But by looking back at the events of 2017, IT teams can take steps to reduce the chances of falling foul of these attacks moving forward. After all, learning from history can help stop events from repeating again in the future.

Avishai Wool

Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Dr. Wool was responsible for transforming the firewall analyzer technology he helped develop at Bell Labs into a commercial product. Earlier, Dr. Wool was a technical staff member at Bell Labs’ Secure Systems Research Department, where he led a team of researchers who created the first research prototypes for the firewall analyzer. He has published more than 110 research papers and holds 13 US Patents, and has served on the program committee of the leading IEEE and ACM conferences on computer and network security. Dr. Wool has a B.Sc. (Cum Laude) in Mathematics and Computer Science, and a M.Sc. and Ph.D. in Computer Science.