This was the year that cybersecurity hit the mainstream – and cybercriminals showed the world they’re not kidding around. With numerous massively-damaging malware attacks, foreign intrigue pushing cybersecurity the highest levels of the government agenda, surging ransomware and email fraud and a doubling-down on artificial intelligence, the year proved many predictions right on the money.
Ransomware continued to be a plague, expanding from novelty items like wearables, children’s toys, pacemakers and smart TVs. IoT networks were also savaged by Hajime, a 300,000-strong network of compromised devices that caused major concerns.
Small and medium businesses (SMBs) were hit particularly hard by ransomware, with reports suggesting that half of SMBs just paid the ransom. One California nursing school struggled to recover after an infection, while other targets included Washington DC’s CCTV network, Apple Mac OS X, a proof-of-concept attack that disabled a local water supply, and fuelled concerns they would take over cars and compromise crucial infrastructure as well.
With ransomware revenues of more than $1b in 2016 alone, the stage was set early on for a ferocious 2017. Ransomware-for-hire attacks fuelled the trend, following on the heels of extremely successful DDoS-for-hire services, but innovative new ransomware designs abounded. A growing number of ransomware infections at companies around the world, but it was the dump of National Security Agency (NSA) hacking tools – and subsequent sharing of CIA hacking tools – that would set the stage for the year’s defining cybersecurity events.
The Wannacry ransomware attack struck over a weekend in May, hitting hundreds of thousands of users and stopping businesses as they cleaned up, tried to pay the ransom or bolstered their defences against a similar attack. Clues suggested North Korea might have been involved – a hunch that was confirmed by the US government in December – while researchers set to work on breaking the ransomware’s encryption.
Just as experts suggested WannaCry could have been worse, another strain called NotPetya emerged to wreak even more havoc. Analysis revealed that NotPetya wasn’t strictly ransomware and was in fact designed to just wipe the files of those it hit – and to release a related ransomware strain.
NotPetya claimed a number of high-profile scalps at companies like pharmaceutical giant Merck, chocolate giant Cadbury, and shipping giants Fedex and Maersk – which indicated costs from the incident would approach $US300m ($A396m).
The implications of WannaCry and NotPetya would reverberate for the rest of the year, with stewards of industry reporting 9-figure cleanup costs that highlighted just how serious an issue cybersecurity has become. Yahoo! also contributed in this area, losing $US350m ($A462m) after Verizon downgraded its takeover offer in the wake of a massive Yahoo! breach – which turned out to be even bigger than previously reported. A hack at Uber was said to have exposed 100,000 drivers’ details – but the company was even more in deep water after revelations it had paid hackers $US100,000 ($A132,000) to delete stolen data on 57m customers.
Indeed, you couldn’t open the proverbial papers this year without reading about another big and high-profile data breach. A mass-marketing company exposed 1.36b email addresses online, while reports of the sale of Medicare details prompted a government investigation and Amazon Web Services changed its management console after a configuration error exposed the details of 50,000 Australian government workers.
Hackers threatened to wipe millions of Apple devices unless they were paid a ransom. Credit-reporting agency Equifax was hit with perhaps the most significant breach of the year, exposing the personal financial details of 143m US consumers, 15.2m UK citizens, and others around the world.
Equifax’s CISO and CIO fell on their swords – highlighting the sentiment of many security executives that they are still undervalued by their boards.
Some analysts said cybercriminals were winning the cybersecurity arms race as they tried everything to continue their attacks, ranging from improper SSL certificates to DDoS attacks on the White House and new forms of Android malware that kept Google on its toes.
Efforts to remedy the cybersecurity skills gap addressed concerns that young women lack the confidence to assert themselves in a cybersecurity context, even as others said the business community was failing to interest them in cybersecurity career pathways.
Local industry development was also on the table, with some asking why Australian companies aren’t buying Australian infosec tools. Analysts believe policy is closing Australia’s cybersecurity gap, and that industry support is helping break our culture of risk aversion.
Cybersecurity attacks played a role in world politics, with the FBI and Democratic National Convention arguing as the Russian election hacking story began to take shape. Intelligence reports suggested that US president Donald Trump had played a role, while other analysis suggested North Korea may have been behind a string of banking heists.
Looming changes to banks’ payment-fulfilment processes have some worried about escalating email fraud in 2018. But high-profile megatrends proved problematic, with cybercriminals recruiting company insiders and adopting artificial intelligence to shape their attacks, just as companies have increasingly adopted AI and machine learning for their hacking defences.
The Australian Signals Directorate led the local security agenda with the release of its Essential Eight mitigation strategies, which have received worldwide acclaim for providing easy-to-follow guidance on improving an organisation’s overall cybersecurity posture. Such preventative measures are critical to improving corporate compliance postures as cybersecurity rose to become IT auditors’ #1 concern.
The Internet of Things (IoT) proved to be as much of a security problem as experts had warned, with businesses hobbled by IoT-driven DDoS attacks. Hackers flocked to prod IoT devices for vulnerabilities, even as they hacked publicly-available printers and embedded devices. IoT security issues mirrored the problems enterprises have been having with user devices for many years, and many were pointing out that – with so many connected devices – the best security defence starts in the home.
Throughout it all, CSOs kept wondering why humans were so very bad at security. Users tend to fare poorly on phishing tests, and they’re susceptible to things like red teaming. For CSOs hoping to survive the tighter disclosure laws in 2018 and beyond, dealing productively with breaches and proactively with users will be critical. Take a fresh look at your security policy – and hang on tight as 2018 and its compliance requirements, take the challenge of securing your data to a completely new level.
From all of us at CSO Australia: Thank you for your readership this year. We wish you a wonderful holiday season and all the very best for 2018.