Lessons from Data Breaches in 2017 and What to Expect in 2018

Which data breach predictions came true in 2017 and what to expect for 2018.

David Ellis SVP, Investigations GCIH, QSA, PFI, CISSP

This blog is based on Dave Ellis’s Webinar, “Lessons Learned from 2017 Forensic Investigations." You can download and watch the webinar here.

SecurityMetrics' Forensic Investigations Team has been helping business recover from data breaches and theft for over eighteen years. We analyze the data from those investigations and use it to inform our customers, predict breach trends, and better protect merchants.

How did our predictions for 2017 play out?

• Insecure remote access will continue to plague organizations

• Yes; continues to be the most common problem we see.

• Large-scale POS breaches will decrease, but employees will remain high-risk

• This certainly happened. We’ve seen the large-scale breaches decline, and employees were the most common weak point (e.g., opening phishing emails).

• Overall number of breaches will temporarily decrease

• This is proven true according to our investigations. POS breaches have declined with the advent of EMV. 

• Ecommerce breaches will increase

• In 2017, 56% of the payment card investigations we performed were in ecommerce, up from 38% in 2016. 

• Increased attacks against healthcare targets

• Yes; we saw near-two-fold increase in healthcare breaches last year.

• A resurgence of ransomware

• According to Malware Bytes, ransomware was the most prolific gainer of 2017. Ransomware rates tripled in number from 2016; 60% of malware payloads installed on commercial systems were ransomware. 


INFOGRAPHIC: 2017 PCI Data Breach Trends 

Many of our readers want to know: what does a cyberattack typically look like? How does an attacker gain access to a system in the first place? How do they steal the information, and what do they do with it?

It pays to understand the steps and patterns of a hacker—plus, it brings to light how important it is to comply with security standards regarding password complexity and secure remote access.

An attacker’s activities will typically include:

1. Scan internet for open remote access ports. The majority of attacks are not specifically targeted. More commonly, an attacker will start by launching a port scan over a large range of IP addresses looking for open ports that correspond to remote access applications. If they see the company is running remote access software, they will likely attempt to breach through that software. 

2. They will enter ‘administrator’ or ‘admin’ for the username, and now they just need to “bruteforce” a password using an online password list. 

3. Test remote access credentials.

4. If successful, they gain system access and ascertain where they are (e.g., whether they have gained access to a healthcare organization, retail business, or home network).

5. At this point, an attacker might monitor your activity by installing a keylogger.

6. Download malware onto the system or encrypt critical files. 

7. Attacker will capture confidential information or contact the owner of the system and levy ransom demands. 

How does stolen data turn into money for hackers?

Attackers might personally use the credit card numbers online or to buy gift cards or prepaid cash cards.

Or—they could be a part of a large organization made up of talented individuals. Organized hacking is like the “new mafia.” These operations are highly systemized, and their employees are probably more motivated than you or I at our jobs. Widespread across the globe, hacking organizations post their offerings on the dark web, and aim to sell the credit card information per number or in bulk.

Most common security failures in 2017:

• Firewalls: About 52% of the cases we investigated had inadequate firewall configurations. In some cases, there were no firewalls at all, but most often they weren’t properly configured.
• Passwords: Similar to when firewalls are left on default configurations, passwords can be left on default settings as well. Or the password might be too simple, like “password” or “12345.” A few years ago, there was a large breach where more than one billion passwords were “lost.” They weren’t actually lost because the hacker that stole them had cleverly inserted them into a brute-force hacking tool (which he made available for sale to others) that can fly through a system and quickly attempt different passwords. To mitigate these attacks, we recommend that your system lock down after three failed password attempts. 
• Antivirus: In many of the data breaches we investigated, there was no antivirus installed, or it was expired on some or all of the key systems. And in cases where it was installed, inconsistency was often a problem. The antivirus software wasn’t always installed on all endpoints. We found that 72% of breached companies had adequate antivirus running. But antivirus still makes the list because in the close to 30% of the other cases that inadequacy was a direct contributor to the data breach. 
• Secure access: Determines who is and is not allowed to access information on your system. Secure access could be compromised with a weak authentication password but is usually due to a lack of multi-factor authentication. There should not be any areas with sensitive or protected information to which someone could log in without multi-factor authentication. Multi-factor authentication will prove to be a crucial security principle as time goes on. 

Other security issues:

1. More than one primary function per server. If you have a device that’s used to take patient info or process credit card info, the more you can segment and separate that device from devices that are used to conduct more routine day-to-day activities, the easier it will be for you to provide high-level security for just a few key devices in your critical data environments, rather than across your entire network.

2. Application security updates. Ignoring patches continues to be a problem. For example, when payment applications discover security flaws, they will issue security patches. But we see many investigations where organizations failed to update with current patches, even though they had been supplied months (and in some cases, years) before.


SEE ALSO: 5 Steps to Manage a Data Breach

How did healthcare do with security in 2017?

The FBI reports(link) increased attacks against healthcare organizations in 2017: 88% of ransomware attacks last year targeted healthcare organizations. The other 12% were targeting individuals or non-healthcare businesses. Hackers recognize that if they can hold hostage patient information or doctors’ notes, the healthcare industry has to act immediately and is more likely to pay a ransom.

89% of studied healthcare organizations reported a breach involving the loss of patient data in the past two years. In our investigations, we found that 78% were compliant with the HIPAA requirement to encrypt patient data, 55% complied with reviewing firewall rules at least yearly, and only 26% complied with using multi-factor authentication for remote access.

Top organizational vulnerabilities

In our opinion, the top vulnerabilities organizations should focus on are:

• Insecure remote access

• Tip: Insist on multi-factor authentication with strong passwords and tokens for all environments containing high value data. 

• Employees 

• Tip: Train employees on identifying phishing emails and social engineering attacks. 

• BYOD procedures 

• Tip: Bring Your Own Device (BYOD) can be a problem. For example, an employee that uses their work computer on a home network inadvertently downloads a virus. The employee then introduces the virus into the work environment when they log back into the work network. Your work environment should scan devices for viruses when it detects a new login. 

• 3rd Parties
• Tip: Know where your data flows and is stored. Conduct risk assessments that include 3rd-party service providers. Do your due diligence with service providers, making sure you have policies, procedures, and agreements on file regarding their security. 


Top 10 Tips to avoid data breaches

1. Educate staff employees: Hold regular trainings with special focus on phishing/spoof emails. 10% of phishing email links are clicked on. Also train your staff to recognize and guard against social engineering. Teach them to question what seem like unusual requests for information (like W2s or personal data).

2. Install updates and patches: Consistently monitor application updates and watch for flaws and subsequent patches. 

3. Develop secure code, then test: Enforce a secure software development lifecycle. For example, follow NIST 800-115 or the OWASP Testing Guide. 

4. Vulnerability Scans and Penetration Tests: Schedule scans often and regularly (e.g., quarterly) and after any significant network changes. Conduct penetration tests on critical systems at least yearly and after any significant network changes. Be sure to include social engineering tests. 

5. Configure and review logs: The best way to find out about a breach is from your own internal review. Someone in your organization needs to have eyes on security logs daily. Create and implement a process to respond to intrusion detection system (IDS) and file integrity monitoring (FIM) alerts in real time. 

6. Risk assessments: Hold a risk assessment at least annually and after any significant network changes. 

7. Control admin access:  Update default usernames like “admin.” Implement multi-factor authentication and restrict access to sensitive data. 

8. Segment your network: (link) Implement network segmentation by isolating less-secure networks from high-security networks. Ensure that a breach of the less-secure network cannot affect the high-security network. 

9. Hide sensitive data: (link) Chances are you need to store some sensitive data at your business, so at a minimum, sensitive data should be encrypted and properly secured. Be certain to test your backups to ensure that you will be able to restore from them after a data breach. (This will be your greatest defense against a successful ransomware attack.)

10. Develop and test an incident response plan: (link on how to do one) Creating a thorough incident response plan (IRP) (and testing it annually) will help coordinate your response during and after a security incident, minimize an incident’s impact, and restore your operations as quickly as possible. 

2018 Forensic Predictions 

1. Ecommerce breaches will continue to increase, as will attacks against healthcare. Ecommerce increased last year, and it will continue to do so. We will probably settle in at a rate of about 80% of investigated breaches that occur in ecommerce environments. 

2. Smaller merchant breaches will come under greater scrutiny. It used to be that virtually all merchant breaches were investigated. But about five years ago, the card brands softened their mandates to reduce the financial burden for smaller merchants. While a breach of a single small merchant doesn’t typically expose a large number of credit card accounts, the collective total of several small merchant data breaches does. As the number of point-of-sale (POS) card-present breaches decreases, you will start to see increased pressure for small merchants to take more definitive actions when they’re under the suspicion of a data compromise. 

3. Coordinated attacks that start with your cell phone. We had an attack last year that started with a breached cell phone, which led to the personal computer in the home, then on to the owner’s business (which was n the healthcare industry), then the breach spread to all of the devices in that environment. You may also see more attacks aimed at individuals—and those may be likely to start with a cell phone. 

4. Passwords may not be the security you’re looking for. We will start to see next year—and more so in the coming years—that passwords will no longer be considered an element of security. There is present technology that can search and break password hashes at the rate of 600 billion attempts per second. This means that attackers could span every possible combination of keys possible, in most languages, in just a few days. As developers put more steam behind this tool, the time and resources needed to break passwords will greatly reduce, regardless of password complexity level. 

5. Artificial intelligence (AI): on your side and against you. We will likely start to see security tools with artificial intelligence that can detect and adapt to data breaches. But we will also likely see AI on the attackers’ side—with malware that can self-move, self-manipulate, and self-hide in response to what it sees a user do. AI will start to show up with increasing frequency, and it’s going to make the future of data security very interesting.