Posted by Amit Sethi on Friday, December 15th, 2017
The year 2017 broke records for the number of reported security vulnerabilities in software. We also saw one of the worst data breaches ever in terms of impact. Let’s look back at some of the security news from 2017.
The number of publicly disclosed vulnerabilities in 2017 far exceeds the number from any previous year. Below is a graph generated by the National Vulnerability Database that shows the number of publicly disclosed vulnerabilities by year:
This trend appears similar when we look at only the high-severity issues (according to CVSSv2 scores):
As the number of disclosed vulnerabilities rises, organizations need programs for dealing with them. Failure to deal promptly with a publicly known vulnerability is what caused the worst data breach we’ve seen so far (at least for Americans).
While the Equifax breach did not affect the largest number of people, it did have the worst impact. Breaches of credit card numbers, passwords, and other information that can be changed are generally easy (although potentially costly) to deal with. However, the Equifax breach exposed data such as names, addresses, birth dates, and social security numbers. Because this information usually cannot be changed (at least not easily), it will remain valuable in the future. This information can easily be used to impersonate people, as attackers did via the IRS FAFSA tool breach earlier in 2017.
How did this breach happen? It resulted from Equifax’s failure to find and promptly patch a publicly known vulnerability in Apache Struts, which was used in its Consumer Dispute Portal. The vulnerability was exploited over 2 months after a fix was made available. Moreover, the company did not discover that its systems had been compromised for another 1.5 months. This series of failures demonstrates significant weaknesses in Equifax’s security program at the time.
Of course, government agencies are not immune to cyber attacks either, whether from outsiders or from insiders. In 2017, we saw documents and tools from the CIA leaked publicly as part of Vault 7. We also saw tools leaked from the NSA and published by the Shadow Brokers. Although the NSA tools were leaked in 2016, the password required to decrypt some of them was not made available to the public until 2017. The NSA tools were allegedly used by North Korea to develop the WannaCry ransomware, which infected over 230,000 computers in 150 countries in just 1 day. Sounds like a great movie plot; unfortunately, it had severe consequences. The attack affected hospitals, the U.K. National Health Service, universities, and a German rail operator, among others. It even affected some critical U.S. infrastructure. Several other ransomware attacks, such as Petya and Bad Rabbit, have since used the NSA’s leaked tools.
Whenever a leak like this happens, it renews the debate about whether government agencies should keep software vulnerabilities secret and exploit them as needed, or help make everyone more secure by reporting them and allowing vendors to fix them.
Last year, I mentioned the 2016 U.S. election and stated, “This is not the last time that we’ll see emails being stolen and published to attempt to sway public opinion.” Well, it happened again just a few months later. This time, it was an attempt to sway the French election, with Emmanuel Macron’s party’s emails being stolen and published. Of course, we’ll continue to see these types of attacks in the future.
We’re seeing more and more organizations adopting cloud services. Unfortunately, many of them do not have experience with the new technologies. It is easy to make mistakes that expose large amounts of data. Some notable events from 2017 included Deep Root Analytics exposing personal information about all U.S. voters, TigerSwan and TalentPen exposing résumés belonging to veterans, law enforcement officers, and intelligence personnel, and SVR Tracking exposing passwords for vehicle tracking devices. Make sure you have your cloud configuration reviewed regularly!
We saw organizations detect and respond to attacks at very different speeds. Google was on one end of the spectrum, where it shut down a phishing attack within 1 hour after about 1 million accounts were affected. Google accounts getting compromised may not seem like a big deal until you realize how many other accounts (like online banking) can be affected for people that use Gmail for their primary email address.
Equifax was somewhere in the middle. As we discussed previously, it took the company about 1.5 months to detect the breach, during which time 143 million people’s personal information was stolen.
Disqus was on the other end of the spectrum, where it discovered a breach after 5 years. During this breach, email addresses, hashed passwords, and other information for 17.5 million users were stolen. Although this breach on its own was probably a low-impact incident, since the stolen credentials could be used only to post comments online, the reality is that many users reuse passwords across multiple sites. Passwords stolen from Disqus could potentially be used on many other websites.
Of course, there are probably many organizations out there with compromised systems that still don’t know about them.
Equifax failed to find and patch vulnerable systems for at least 2 months, did not detect compromised systems for 1.5 months, and didn’t publicly disclose the breach for over a month afterward. Many questions were then raised about Equifax executives selling some of their shares during the month when some people at Equifax knew about the breach but the public did not. The executives were eventually cleared (at least by Equifax’s board). But when Equifax did make the breach public, it made even more mistakes by redirecting users wanting to check their status to the wrong website.
Uber was breached in 2016, and attackers stole personal data of 57 million customers and drivers. Uber’s chief security officer allegedly paid $100,000 to the attackers to delete their copy of the data—and then failed to disclose the breach to the public. Uber finally admitted to this in November 2017. Of course, there is no guarantee that the attackers deleted the data, and hiding the breach for a year unnecessarily exposed victims to other attacks.
Last year, I made a few predictions for 2017:
Did these events happen?
Now it’s time for some software security predictions for 2018.
The number of publicly reported vulnerabilities in software will likely set another record in 2018. Organizations need the right tools and programs in place to deal with this problem.
In 2017, we learned about the KRACK attack, in which attackers can intercept and inject traffic on modern Wi-Fi networks. This attack is made possible by a flaw in the WPA2 standard itself. As I mentioned earlier, we also learned about a flaw in the CAN Protocol used for communication between components in vehicles. In 2018 we’ll continue to see high-severity design flaws in software. Unfortunately, tools cannot find such flaws; we need architecture and design reviews to find them.
As more and more devices and public infrastructure become connected to the internet, we’ll see more attacks against them. We already saw the WannaCry ransomware affect small utilities and manufacturing sites in the United States. In 2018 we’ll start seeing larger-scale attacks against infrastructure.
How do you make sure that your organization doesn’t make the mistakes that we discussed? You need a solid security initiative to make sure you prevent attacks whenever possible, and minimize damage and respond appropriately when they do occur. There’s no one small change that could have systematically mitigated any of the security issues we discussed above. Like most critical business practices, security requires significant resources and effort. Do not leave it to chance. A good place to start is the Building Security In Maturity Model (BSIMM).
Get the latest AppSec news and trends sent directly to you.