Ron Temske, Vice President, Security Solutions, Logicalis US
For one of our first Enterprise Security blog posts of 2017, I thought I would reflect on some of the most significant events of 2016. I’ll stay away from predictions for 2017 since there’s no reason to create a documented record of how wrong I was!
Last year was a particularly interesting year for enterprise security. We witnessed a number of events that had been theorized for some time, but had never really taken hold; we saw unprecedented attacks both in frequency and magnitude.
Among the security-related threats and events we saw: new mobile threats; ransomware on a large scale; cybersecurity in politics and elections; an increase in attacks against mobile devices; conflict between a major vendor and the government over encryption keys; another major vendor taken down by attacks; and we saw the Internet of Things (IoT) used to launch a massive attack against the core of the Internet.
Let’s review a few of these in a bit more detail:
- Mobile. New attack vectors enabled threat actors to compromise a Smartphone directly through a multimedia SMS. By simply opening the SMS message, the user provides the attacker with control of the mobile device. With so many mobile users accessing corporate data, this can allow for large-scale data theft and loss.
- Ransomware. No discussion of 2016 security trends would be complete with highlighting the devastating impact of ransomware. Ransomware as a technology has been around for many years, but 2016 saw widespread use via innovative delivery mechanisms whereby a criminal could purchase a ransomware attack via a pure SaaS model. The criminal needed no technical skills, and could simply pay to attack a set of targets, sharing in the profits with the organizations launching the attack. I haven’t seen final numbers, but ransomware was on track to generate over $1B in revenue for 2016 and shows no signs of slowing down yet.
- Apple vs. FBI. The conflict between Apple and the FBI got widespread coverage, as it raised some difficult technical and ethical questions (that largely remain unanswered) principally focused on whether the government can force a manufacturer to unlock its encrypted devices and/or place a backdoor into the devices to allow unfettered access. This event highlighted an ongoing (and heated) debate contrasting the ability of law enforcement to perform its duties versus the right to privacy and increased protection against compromise provided by encryption.
- Yahoo. It wasn’t a good year for Yahoo. After disclosing the details of an attack that compromised approximately 500 million user accounts, the company disclosed another incident later in the year affecting 1 billion accounts. That last attack represents approximately 15 percent of the entire world’s population! (Obviously, there’s not a one-to-one relationship between accounts and people, but still an interesting perspective).
- Internet of Things (Internet of Threats). The attack against Dyn in October was interesting for a variety of reasons. It was the largest attack of its kind in history, leveraging compromised IoT devices (mostly Chinese manufactured security cameras) to launch a DDOS attack against Dyn, bringing down many of America’s key Internet services. Estimates vary as to the number of IoT devices utilized but range between 100,000-600,000. The overall attack volume was estimated by Dyn to be around 1.2Tbps. That was approximately double the previously largest DDOS attack on Krebsonsecurity (665 Gbps).
2017 Enterprise Security Closing Thoughts
As mentioned, I’ll stay away from specific predictions around technology or attacks, but I will make a few observations. It’s quite clear that security will continue to grow in importance.
These attacks are not going away, and organizations of every size and across every industry must become more diligent in their approach to security. While we frequently focus on the technical aspects of security, ultimately this all comes down to protecting your organizations from negative impact. I’ll make a case for why you want to discuss security with your organization with three simple points:
- Security is top of mind for every customer you have. There literally isn’t a single customer who isn’t looking at how to enhance their security and they expect that you will do the same within your organization to maintain the bond of trust they have established with you.
- Security is a C-Level conversation. This is not a “technical” conversation, this is an organization-wide discussion that begins at the c-level. Your CEO and CFO must get involved if they aren’t already. Now is your opportunity to provide them with information and education about cybersecurity threats and preventative measures.
- Security is becoming more than just protection. Security is now leveraged as a competitive differentiator. When competing for business, the security of an organization is now a common part of the decision tree and demonstrating the steps you’ll take to protect your customers’ information is critically important.
I look forward to a productive, exciting and innovative 2017 in enterprise security! We’ll have ample opportunity to discuss approaches to cyber threats and, I’m sure, no shortage of new stories to share.