A blog piece I wrote for the company website: http://mtibytes.com/post/Biggest-security-fails-of-2015-and-a-look-ahead-to-emerging-threats-in-2016
The last year has seen IT security at the forefront of the news agenda for all the wrong reasons. Various breaches and hackings, such as those on TalkTalk, Carphone Warehouse and Ashley Madison, have heightened discussion around IT security and the protection required to counter virtual incursions.
Yet, many of the attacks over the course of the year were avoidable. Had the companies in question been more diligent over their testing and security protocols, some of the breaches would not have been as successful.
Security fails of 2015
The biggest security failing of 2015 is arguably the vulnerability of companies to simple web application attacks. Organisations with large volumes of online customer interactions were targets for web application attacks, where cyber-criminals gain access to sensitive customer data. Techniques such as SQL injection and brute force attacks accessed valuable data for fraud or resale to third-parties
The other security failing this year has been phishing attacks, a method that can result in malware entering a network, leading to data theft. Phishing attacks can come in the form of a legitimate email from a company that redirects the user to a fake external site. Personal information is then requested and captured for future brute force attacks.
Prevention is simple
Following simple guidelines like OWASP is the first step to prevention. Regular testing of web facing applications before publishing them can also help avoid attacks.
Education within the company and targeted solutions aimed at monitoring data exfiltration should be a priority. A company’s security cannot be reliant on only using their security solutions as a shield – their workforce can and often will be a weak spot in their armour. Employee education on data governance, access and removal of data should be at the top of a company’s IT security resolutions for 2016.
Emerging security threats in 2016
The frequency and level of sophistication of ransomware threats looks set to increase in 2016, as the attacks are so effective. This is especially the case, as corrective measures to protect from attacks are rarely in place.
In addition, DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as shown by the high profile TalkTalk and Carphone Warehouse breaches.
There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks, unless they receive a sum of money.
What is interesting is that these two techniques do not demand high levels of technical ability, but the rewards can be great. Many companies cannot afford lengthy downtimes on their servers and will pay the sum demanded, even without any guarantee that the same attackers will not return.
Who will they affect the most?
Ransomware can affect a majority of computer users. Assuming you will not be a victim of a cyber-attack is a major mistake and the risk of such an attack should be taken seriously.
Blackmail attacks/DDoS attacks on the other hand, will be targeting medium to large sized companies, who have the budget to pay the ransom money.
Invaluable security solutions for businesses in 2016
As ransomware is predominately distributed via email and Internet, a sandboxing solution is essential. The relevant solution has to be able to scan emails and Internet traffic delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or mobile connections.
An attacker using ransomware infiltration techniques will execute with the user-credentials of the user who opens it, so there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops.