Lessons to be learned from the latest high profile attacks
Recent high-profile attacks in the news continue to underline the need for businesses to take cyber security seriously. Attacks on Yahoo, WADA, Seagate and Just For Men demonstrate that even the defences of large, global brands are vulnerable.
Successful cyber defence involves being able to spot early signs of attack, an area in which many businesses fail. Today’s organised cyber criminals are patient and well-resourced, making it inevitable that a targeted organisation will be breached at some point. Just a tiny security lapse is all it takes to let a determined hacker in.
In the case of Yahoo, keeping its 500 million+ users in the dark for so long about the breach, which occurred in 2014, has opened the company up to widespread criticism. Tracing the source of an attack and identifying compromised assets can take time but by failing to disclose the hack sooner, millions of people have been left unduly exposed.
Some disgruntled Yahoo users are reportedly considering taking legal action against the company. Commenting in Computer Weekly, Redscan’s CEO, Gubi Singh, says that the challenge for users considering litigation is proving whether direct financial losses have been incurred as a result of personal data being compromised.
What’s clear, is that until companies start doing more to protect the data that they hold, more and more are going to face the threat of legal action, not just from customers but suppliers and industry regulators too.
As Singh told Information Security Buzz, the attack on Yahoo, which is currently in the process of being acquired by Verizon, also underlines the need for organisations to assess security as part of the due diligence process.
The targeting of individuals
Yahoo is not the only company facing legal action for cyber security failures. Employees of storage manufacturer, Seagate, are reportedly suing the company after a senior HR executive fell for a spear phishing attack earlier this year which resulted in thousands of employees’ tax information being exposed. The news follows a SC Magazine report of Mal/Miner-C malware being found in Seagate network attached storage (NAS) devices.
The targeting of individuals is a common tactic used by cyber criminals to compromise an organisation’s security. Hackers spend hours extensively researching their targets to create highly personal email communications that closely imitate genuine sources.
Another high profile spear phishing attack to make recent headlines is one on The World Anti-Doping Agency (WADA) by The Fancy Bears hackers. This has led to the confidential medical files of sports stars including Venus and Serena Williams, teenage gymnast Simone Biles and 2012 Tour de France winner, Bradley Wiggins, being leaked and publicly scrutinised.
Improving cyber security awareness
Cyber security breaches have caused recent embarrassment for high profile politicians too. US Presidential candidate, Donald Trump’s campaign website was compromised by a brute-force attack which enabled sensitive data to be accessed. While in this instance, the breach appears not to have been particularly serious, Redscan’s Lead Penetration Tester, Robert Page told The Register that vulnerabilities like the one exposing Trump are all too common.
In the UK, the team former Labour leader candidate, Owen Smith, posted the account details of his campaign phone bank system on social media. Page told SC Magazine that this incident illustrates that more must be done to improve security awareness.