make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

The Year in Review: Breaches and Vulnerabilities

12/23/2014  |  By: Jason Riddle, CISSP, President, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

With 2014 nearly behind us, it’s time to look back on 2014 – and look forward to the year ahead. What were the major network security issues in the year gone by, and how can we expect those stories to evolve in 2015?

High-Profile Breaches

Where breaches and vulnerabilities were concerned, it was a particularly eventful year. A rash of major data breaches impacted a wide range of high-profile companies, most of them retailers. The organizations attacked included (but were by no means limited to) Home Depot, Michael’s, Kmart, Goodwill, Dairy Queen, JP Morgan Chase, and Sony Pictures Entertainment. After its highly publicized breach of late 2013, Target could be considered “patient zero” for the kind of attack experienced by many retailers. Many attacks followed the pattern established by the Target breach – specifically, the use of memory-scraping malware on Point of Sale (POS) systems. For this reason, POS systems took center stage in the security industry dialogue: there has been a great deal of conversation on how to protect these systems more successfully. One major strategy under discussion is the implementation of Chip-and-PIN (or EMV) measures in the credit card and electronic payments industry as a whole, an area in which the U.S. still lags behind many other countries. Thoughtful commentators have pointed out that this approach isn’t a silver bullet – but it should mitigate a lot of the types of fraud we’re seeing today.

Major Vulnerabilities

Three major technical vulnerabilities emerged this year, each concerning highly commonplace, fundamental technologies:

  • The Heartbleed bug allowed hackers to exploit a vulnerability in the SSL security protocol and acquire data that was meant to be private and encrypted.
  • The Shellshock vulnerability impacted Linux and Apple OSX platforms running bash, a highly common terminal shell. Because bash is such a foundational piece of behind-the-scenes software, this vulnerability was very widespread.
  • The BadUSB vulnerability, while not precisely a software vulnerability, gives attackers a way to exploit the highly common USB architecture.

Heartbleed and Shellshock were addressed by patches, but BadUSB probably won’t go away for close to a decade: it’s a vulnerability that is simply inherent to the USB standard – a standard so widely used that it will not be replaced for some time.

Looking Ahead

In many ways, this year was a turning point. Five years ago, one typically saw a reluctance to invest the time, money, and effort in implementing robust, situationally appropriate security. In the wake of this year’s many high-publicity breaches, more and more senior-level decision makers are looking to quickly and cost-effectively limit damages. In 2015, I expect this trend to continue. More boards of directors and C-level executives will continue to ask about information security – and this will serve their organizations well. Today, many organizations are taking key steps to put in place the security they need – performing risk assessments, for example. In 2016, these businesses will be able to leverage the resources to protect their systems – and their customers’ data. 

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity.