Why hacks like Equifax will keep happening
If it feels like 2017 is a banner year for cyberattacks, that’s because it is. And the hits will keep coming.
“We’re living in the beginning of an era of mass targeted attacks,” said Nate Fick, CEO of security firm Endgame. “Things are bad and they’re going to get worse.”
In just the last month, we’ve learned of a data breach from credit agency Equifax affecting 143 million people, an intrusion into the SEC, and a hack at major accounting firm Deloitte.
Almost 2 billion records were lost or stolen globally in the first half of 2017, according to security firm Gemalto, an increase of 164% over the previous six months.
The spike in global cyberattacks is the result of a perfect storm. Some tools used by government hackers have become public, such as when the NSA hacking tools leaked online. And it’s easier than ever for hackers to make sophisticated tools to spread malware, ransomware, or steal data from companies. Firms also frequently fail to patch holes in their systems, at least in a timely manner.
“It’s increasingly easy for essentially anybody to wield the kind of capability that used to be reserved for nation-states, or required nation-state level of expertise and investment,” Fick said.
Attacks by nation-states are undertaken by hackers working for a government, rather than a criminal enterprise.
No one has attributed the Equifax hack to anyone, yet. But law enforcement has blamed nation-states for other high-profile cyberattacks such as WannaCry. In that case earlier this year, intelligence agencies linked the massive ransomware attack to North Korea. It infected about 300,000 computers in 150 countries.
According to Andrea Little Limbago, Chief Social Scientist at Endgame, cyberattacks will continue as geopolitical tensions escalate.
In the past, nation-state hacks didn’t have widespread collateral damage. In 2010, the Stuxnet worm damaged Iran’s nuclear program, but Limbago said it was mostly contained.
Fast forward to 2017: The sophisticated NotPetya cyberattack, which Ukraine blamed on Russia, targeted Ukrainian tax software in June, but infected companies around the globe. FedEx said the attack cost the company $300 million.
Sophisticated attacks are a threat, but the biggest hacks can be the result of known vulnerabilities that don’t get fixed in time.
Hackers infiltrated Equifax through a flaw in a tool called Apache Struts, which is used to build web applications. The flaw was identified and disclosed in March, but Equifax’s machines were not all updated and protected even months later, allowing the hackers entry.
According to Kelly Shortridge, product manager at Security Scorecard, many companies don’t maintain basic security hygiene to prevent cyberattacks. That includes regularly updating and patching computers, implementing mandatory two-factor authentication, and training employees to recognize phishing attempts.
“Unfortunately you can’t just put a security box on the network and everything will be solved,” she said. “You have to be rigorous in monitoring, and rigorously prioritize how you protect your assets.”
Keeping computers up-to-date costs time, money, and expertise — sometimes patching a server means taking it offline, potentially affecting customers or business operations. Skipping a patch over financial concerns could lead to a more expensive data breach in the future.
Data breaches, digital extortion, and identity theft are lucrative. According to research from Symantec, the average ransomware attack — where hackers take control of a victim’s computer and then demand money to return it — made $1,077 last year, a 266% increase from the year before. Hackers buy and sell hacking tools, malware, and stolen identities on the dark web.
Sometimes stolen data doesn’t need to be hacked. As we’ve seen multiple times this year, databases that are insecure due to human error can leave private data exposed to anyone who searches for it.
The number of devices vulnerable to an attack is growing. As millions of devices like smart coffee makers and connected light bulbs come online, there will be more opportunities for hackers to infiltrate homes and businesses.
For example, hackers recently tried to steal data from a North American casino through a fish tank connected to the internet. They managed to compromise the tank and send data to a device in Finland. Insecure devices are like unlocked doors into networks; if a hacker accesses one, they could move around the rest of the system and potentially steal private information.
Gartner estimates over 20 billion “internet of things” devices will be in use by 2020, up from an estimated 8.4 billion this year. Experts say many IoT manufacturers are notorious for shortchanging security and putting users at risk.
Shortridge says the Equifax breach may be a wake up call for businesses who don’t prioritize security. Government agencies and members of Congress are currently investigating Equifax.
However, Fick said there’s a lack of accountability when data breaches happen. The CEO of Equifax “retired” this week, following the retirement of the company’s chief information officer and chief security officer.
“If you’re the CEO or you’re a board member, whether or not a breach is your fault, it’s unequivocally your responsibility,” Fick said. “You should be fired if it’s egregious enough. You shouldn’t be allowed to retire.”