The biggest data breaches this year, visualised by Information Is Beautiful
As I write this article, a group calling themselves The Phantom Squad have declared that they intend to take down both the Xbox Live and Playstation PSN networks on Christmas Day, and sustain the attack for a week. They claim its to expose the continued lack of security from
A hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge, enjoyment, or to evaluate those weaknesses to assist in removing them. - Wikipedia
Given the focus on the ever increasing deluge of data being generated by consumers and devices, and the exponential information potential touted by trends such as the Internet Of Things, cybersecurity and data protection is becoming more paramount. But every year the data breaches get larger, more sophisticated and ever more costlier. According to a joint study by
- Ashley Madison breach hit 37m users
- Malware installed on over 2,000 cash registers hit over 56m customers at
Home Depot - The European Central Bank had its website hacked, with personal information including email addresses and contact data stolen
- Kirkwood Community College’s website was hacked this year, exposing 125,000 social security numbers of applicants over an 8 year period
Not all threats are from the outside
This is very small set of examples from breaches in security in 2015 but what's interesting is that while hacking and information security breaches are mostly regarded as an outside attack, in a recent PwC survey conducted with the HMRC in the UK, it stated that 43% of cybersecurity breaches were caused by activities conducted by staff. After speaking to Ryan Stolte, CTO at Bay Dynamics earlier this month I had a better picture as to why this may be the case. Ryan's company correlates data generated from user activities and accesses to systems and builds a story about the individuals – employees and third party vendor users – that details how they behave on a daily basis. "By focusing on the people who have access to businesses’ networks and understanding how they typically behave, if they do something out of the norm, we can easily flag, report and stop it. The overall goal is to change behaviours across enterprises before it’s too late.", said Ryan.
User and entity behavior analytics (UEBA), that branch of cybersecurity that examines internal user behaviour, is becoming increasingly more popular. Gartner says it expects the UEBA market revenue climb to almost $200 million by the end of 2017.
According to studies by Bay Dynamics, in approximately 90% of data loss prevention incidents, i.e. when employees leak sensitive data outside an organization, the employees are legitimate users who innocently send out data for business purposes. They are exhibiting normal employee behaviour even though it might be in violation of the established business policy. When they are called out by their employer, close to 80 percent of users who are exhibiting risky behaviour (i.e. visiting high risk websites such as gambling, pornography and others) make changes so that they are more security-conscience.
Only 1% of data loss prevention incidents are critical ones which either show signs of being a malicious or by a compromised insider.
Hacking the internet of things
If the numbers are to be believed, 50 billion devices connected to the Internet Of Things may well generate 44 Zetabytes (44 trillion gigabytes) of information by the year 2020. But as of 2015, this market's maturity towards securing this information, both personal and corporate, is extremely lacking. Consumer confidence towards IOT and smart devices is also low. A report by Altimeter Group found that 45% of respondents expressed very low trust or no trust at all that companies were using their connected device data securely and in ways that protected their privacy, and Park Associates published research stating that 70% of smart device owners are concerned about unauthorized access to their home control devices as well as to the data generated by these devices.
Security breaches in the IOT and Smart device industry are becoming more commonplace too.
In 2014 Context Security released details about how it was able to hack into the wi-fi network of one brand of network-enabled smart bulb, and control the lights remotely. “We bought some light bulbs and examined how they talked to each other and saw that one of the messages was about the username and password,” said Michael Jordon, Research Director at Context. “By posing as a new bulb joining the network we were able to get that information,” he added.
Similarly, Jesus Molina, a cyber security expert, was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television. Molina realised how vulnerable the system was, and wrote a piece of code spoofing the guest iPad so he could control the room from his laptop. After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.
Add to this some news scaremongering around taking control of your connected car, or hacking and stopping a pace-maker, adds fuel to general public awareness that this is an insecure landscape.
But that's not all, hacking doesn't just represent threat, but also opportunity to improve hardware and software beyond its original uses. Consider the Xbox Kinect for example;
- Using the Kinect to build a low-cost, ready-to-roll robot together with Linux
- Kinect enabling surgeons in London to view and manipulate medical images via gesture and voice control
In fact, one of the best known hacks of the Kinect was where a man enabled it as a control interface for his mother who suffered a stroke so she could send emails.
Does the future of the internet rely on hackers ?
This may be a contentious point of view, and admittedly I am no cybersecurity expert, but my opinion is that the hacker culture can be seen a positive aspect in exposing the fundamental security flaws across the corporate domain, and also the weaknesses in the Internet Of Things. The general public places a lot of trust in organisations and businesses they engage with on a day to day basis to secure their most sensitive and personal information and every month, whether malicious or not, glaring holes in information security are brought to light. This is not a war, this is almost a symbiotic relationship, and perhaps the law needs to begin to reflect some of this.
"There's no defense in our hacking laws that your behavior is for the greater good. Even if it's what you believe." - Struan Robertson, legal director at Pinsent Masons LLP
Companies may employ ethical, or white hat hackers to conduct the same methods in order to try to breach the computer security of the organisation, but in my mind they are not driven by the same motivations, no matter the end goal.
There is also the stigma and bad press at being a corporate victim of hacking. But victim is a strong word when security processes and procedures are so lacking, and compounded when a breach only comes to light much later on. For example, the New York Dam was breached in 2013 but we're only beginning to hear about it now.
And as highlighted above, hacking can also turn original designs for hardware and software and extend it far beyond its creators intentions.
The eternal cat and mouse game played by the infosec and hacker community will rage on, and in 2016 we will see bigger and costlier breaches both from inside and outside the corporate firewall. But perhaps its time we view these efforts in a different light, because without them all we have is the illusion of being secure.
