You would get very little argument from anyone that the security threat landscape has changed significantly since the start of this decade. Mega-breaches, ransomware, nation-state threat actors, insider leaks – all of these have moved the goal posts a long way from where they were just a few short years ago.
We spoke with Michael McKinnon, from AVG, at last week’s AISA National Conference and asked him what he through the five most important or influential hacks or breaches of the last five years.
Interestingly, most of his list came in the last couple of years signalling that the threat landscape has not yet stabilised and new actors with different motivations are still evolving.
1 – Edward Snowden
“The one I think is the probably most contentious and, depending on your point of view, whether it constitutes a hack or a breach clearly has to be the actions of Edward Snowden,” says McKinnon.
What Snowden’s actions did is highlight the power of the insider threat. Snowden’s ability to use inherited privileges and exploit the cracks in systems gave him unfettered access to massive swathes of confidential information.
Although it’s arguable whether Snowden’s actions did more harm than good, McKinnon says the breach “clearly shifted the ground about how we think about security and privacy fundamentally for all of us,” says McKinnon.
2 – Ashley Madison
Although the Ashley Madison breach is very recent, occurring in July 2015, McKinnon says it has changed many perceptions about security.
“What’s interesting is, given the level of access this hacking team had, and the level of information they revealed you have to assume there’s some sort of insider access,” says McKinnon.
With database tables, email and other corporate data leaked this is one of the most egregious exfiltrations of data.
“It was a reminder of just how personal some of this private information can be and how it could potentially affect the lives of some people. It stands out head and shoulders about any other because of its impact and severity”.
McKinnon likened the Ashley Madison breach with the celebrity photo hack of August 2014. He says AVG looks at user responsibility when it comes to the consumption of breached data where users might be tempted to look at information about co-workers or people they know.
“One of the fascinating aspects of this is when it comes to the breached information – what’s our motivation for looking at it and are we making the problem worse by looking at it?”.
3 – Sony
“This was an interesting example of a hack because Sony really went after the media on this,” says McKinnon. “Of course, they were in full-flight response mode, trying to quell the media attention they were getting at the time”.
One of the key learnings from the Sony hack was that a very determined and highly skilled threat actor could access far more data and carry out far more damage than anyone had really understood until that point.
“What I found interesting about the Sony hack, from a technical point of view, was there was a lot of speculation – and I’ve spoken with a lot of people who say they had connections with hacking circles – that it was fairly well known that Sony had been breached much earlier on. There were adversaries in their network for quite some time but nothing really happened”.
McKinnon says the take-away from the Sony breach is “if you haven’t secured your stuff, you’ve left the backdoor open – don’t assume it’s one person inside your network. In many cases it could be multiple parties inside your network and it becomes very difficult to separate who’s in there and who the actual attacker is”.
4 – Adobe 2013
The Adobe breach of 2013, when their systems were breached and about 130 million customer records were breached, signalled the start of the mega-breach era. Although the Target breach might have garnered more press and seen some high profile sackings, it was Adobe that “launched” the mega-breach era.
“The thing that stands out is the sheer size of it,” says McKinnon. “130 million unique accounts and passwords were revealed”.
As a result of the breach users were asked to change their passwords and it highlighted that password re-use by users created a previously under-recognised risk.
“You can not trust a single password with anyone,” says McKinnon.
5 – The One I Can’t tell You About
“I’m playing devil’s advocate here to make a point. The name of the last breach is the one I can’t tell you about. And the reason I can’t tell you about it is we’ve all got war stories about clients we’ve worked with and breaches of companies but because of confidentiality and non-disclosure agreements they can’t be talked about. Not every hack hits the press”.
McKinnon says there are still hackers out there who care about the “art of hacking” and are keeping stolen data on their hard drives with no intent of distributing it – yet. However, there are also more targeted and sinister attackers as well.