2019 in the Rearview, 2020 in the Windshield

2019 was a big year for IT security whichever way you choose to look at it. Huge volumes of records were exposed, loads of organizations experienced a ransomware attack, skimmers compromised countless websites, and European authorities issued massive fines under the General Data Protection Regulation (GDPR).

Let’s take a quick trip down memory lane to review the most prominent themes of 2019 and discuss how they might develop in 2020.

Ransomware

Ransomware celebrated its 30th birthday in 2019, and it has certainly grown up! The first ransomware variant was the Aids Info Disk Trojan. Distributed by floppy disk, the variant encrypted the names of all files on the C: Drive, then requested the recipient send a money order to Panama. Ultimately it was not actually effective, but we have seen Ransomware develop into one of the most persistent and virulent attacks faced by organizations today. According to the Mimecast State of Email Security Report 2019, more than half of all organizations encountered a ransomware attack that directly impacted their business operations – almost double the 2018 figure.

Ransomware attacks in 2019 have targeted everything from manufacturing to the public sector, as well as large global enterprises to local medical centers. We’re using “targeted” loosely in this instance since no doubt some of these attacks have been precisely targeted. Despite targeted campaigns, most incidents remain targets of opportunity.

For the manufacturing industry, ransomware can have particularly serious knock-on consequences as production delays can cost organizations tens of thousands of dollars per hour. In 2019, we also observed both city and government entities for entire states targeted. The attackers presumably relied on the resulting publicity to test the efficacy of their attack and how to gauge public pressure for a response – although to date, most government entities appear to have not paid any ransoms.

One of the nastier consequences of ransomware has been its impact on small businesses. According to some reports, up to 60 percent of small businesses that experience a cyberattack may go out of business as a result of the incident. In fact, during 2019, there have been recorded cases of small medical practices closing their doors, and medium sized companies laying off hundreds of workers since they lack the funds to either pay the ransom or have the ability to rebuild their systems.

Unsecured Databases and Cloud Storage

According to the Risk Based Security Data Breach QuickView Report 2019, 7.9 billion records were exposed in 2019. The sheer quantity of exposed records exceeds the estimated world population of 7.8 billion in January 2020! We are living in an era where it is almost guaranteed that your personal data has been compromised in some way. What’s even more alarming is the number of records leaked in a single event must be in the hundreds of millions to register on a list of significant breaches!

This is one area of cybersecurity where configuration errors really do seem to be the prime culprit as unsecured data stores have leaked billions of records. With the rapid shift to the cloud and the complexities associated with configuring many of these services, we do not anticipate unsecured data stores will go away anytime soon.

ECommerce and Skimming

Website skimmers have been around for 10 years or more, and perhaps the most well-known threat actor group specializing in credit card skimming is Magecart. According to one RiskIQ report, 2 million sites have shown signs of a Magecart compromise as of October 2019. Additionally, several well-known brands, such as British Airways and Forbes, have made headlines due to Magecart-attributed compromises.

One interesting development in recent attacks has been hackers targeting account management pages in addition to the checkout pages that have traditionally been the target. It is obvious to see why as there is a lot of useful information on web pages that’s helpful for account management, including addresses, passwords, and other personally identifiable information.

The challenge with these attacks is often around the components used in e-commerce websites. Twenty years ago, in-houses resources would build websites and all their components from scratch. Today, most websites are built using components from an outside vendor. This supply chain introduces vulnerabilities and requires attention to ensure that suppliers are diligent about securing their code. Recent breaches emphasize this point.

GDPR

The European Union’s (EU) GDPR took effect in May 2018, and authorities have reportedly issued over $400 million in fines (although some are still up for negotiation). Interestingly, the EU issued many smaller fines, as low as $100. Many of these smaller fines specifically cite insufficient technical controls. We are still in the relatively early days of GDPR enforcement, and we see leaders from around the world developing other mandates with similar objectives. Only time will tell how far regulation will go to making our personal information more secure.

Looking Forward into 2020

As we look at 2020, one of the most insidious developments already happening is the move to Ransomware with data release. Since many organizations refuse to pay ransoms, some attackers are exfiltrating data prior to encryption and then using the threat of releasing the data as an additional lever. Since the affected organization may not immediately know whether data has been exfiltrated or not, this opens a new pressure point for the attacker to use. What’s worse is the uncertainty of whether attackers will publish the data even if the victim pays the ransom. Perhaps more concerning for companies is the potential for a ransom event to turn into a data breach event. This would introduce compulsory reporting requirements and possible fines from the regulator, on top of the cost of either paying the ransom or rebuilding systems.

Additionally, given the complexities around securing online data and databases, we’ll likely continue to see data breaches as a result of configuration errors. In fact, as of late January, Microsoft reported a leak of 250 million records which might result in the first big breach of 2020. Microsoft cited a configuration error and recommended organizations review processes to ensure they are following best practices.

A Silver Bullet?

So, what can the defenders do? Unfortunately, the silver bullet remains as mythical as the creatures which it is supposed to slay. But, let me be so bold to wrap up with some recommendations.

Do the basics

  • Use supported operating systems and software
  • Patch
  • Backup your systems – Ensure redundancy and test
  • Educate your users in cybersecurity fundamentals

Prevent what you can… for everything else there’s monitoring

Useful resources in your monitoring efforts: