2011's Big Breaches: What We've Learned
In virtually all of the breaches of 2011, there was a human error or failure that could have been avoided. As IT people, we tend to focus more on the technology surrounding these compromises, but as I look more closely at each of them, I believe that humans are still at the heart of great security successes - and, unfortunately, great security breaches.
With this human factor in mind, let's take a look at some of this year's biggest compromises. Interestingly, many of the human errors involved in these breaches were basic mistakes made in the domains that (ISC)2 describes in its CISSP program. As such, it is clear that so much of security boils down to education and experience.
- RSA's SecurID: In March, RSA revealed that it had been hacked and that data related to its SecurID token authentication technology had been stolen. The complex attack led to breaches of RSA customers and the popularization of the term advanced persistent threat. But at the onset, the RSA breach was caused by simple human error: a phishing attack disguised as an e-mail with recruitment information allowed attackers to infect an RSA employee with the Poison Ivy Trojan. If the employee had followed simple policy, the breach might not have occurred. Employee awareness on social engineering and phishing is becoming critical. As it happened, some 40 million RSA customer identities were placed at risk.
- Sony PlayStation: Back in the spring, multiple system hacks at Sony allowed hackers to get customer information for the 77 million members within Sony's online PlayStation network. Many of Sony's problems stemmed from the compromise of a third-party customer list, which enabled attackers to get the data they needed to go after Sony customers. But such compromises are avoidable, if security professionals understand and are educated adequately to work with third parties to stay secure. As it was, Sony was forced to take down some of its services for several weeks, and the company estimates that the attack cost $170 million.
- Anonymous: The hacktivist group, Anonymous, made hay all over the web this year, breaking into systems at federal agencies, major corporations and even local law enforcement. The methods used by this group are not always known, but one interesting study suggests that the group might be using simple Google searches to find vulnerable code that can be easily exploited. Unfortunately, such vulnerabilities continue to be easy to find, which is why education and training on application security is such an important aspect to cover in organizations. It is likely that the methods Anonymous used in 2011 will continue to be a threat into 2012 as well.
- SSL Breaches: Several SSL digital certificate providers, including Comodo, DigiNotar and GlobalSign, were breached this year, causing a real loss of confidence in certificates that have been used on the web for years. The compromises allowed the creation of fake certificates that fooled many users and caused downstream breaches. Security professionals today must understand the concepts of cryptography, which describes methods for encrypting and authenticating data to protect against such attacks. It is the violation of these principles that caused major issues across the internet and the collapse of DigiNotar, owned by Dutch-based VascoSecurity Systems, which went bankrupt as a result of the hack.
- Duqu: After working its way through Stuxnet in 2010, the industry found itself dealing with another complex threat, Duqu, in the second half of 2011. Duqu, a malware delivery framework used to steal data, uses a kernel driver, which injects a rogue library (DLL) into system processes. The DLL then links the infected system with a command-and-control server. At its core, however, Duqu relies on human mistakes to infect its targets, just as most malware does. These attack methods are both common and avoidable to security professionals who understand how to build the right policies.
Humans are still at the heart of great security successes - and, unfortunately, great security breaches.
I could go on - breaches at Epsilon, Bank of America, the state of Texas, and MySQL.com are just a few of the other examples of major breaches that occurred due to simple human errors on the part of security professionals, end users or third parties. Most of them were not complex hacks, but simple attacks that exploit common flaws such as cross-site scripting or SQL injection. These are basic concepts that every security professional should be able to understand and manage.
As we prepare to enter a new year, I submit that the industry needs to rededicate itself not only to the development of better security technology, but also to improving the education (and re-education) of security professionals and the users they serve. The lesson we learn from this year's breaches is that most of them were avoidable - even preventable - if humans had exercised best practices at the proper times.
It is an old truth that those who don't learn from history are destined to repeat it. We should all take a hard look at the breaches we saw this year and take the steps needed not only to improve our defenses, but to also improve the knowledge of those who exercise them. Let's put enough qualified people in the right places.
Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with over 80,000 members in more than 135 countries.