What are the top 10 Cyber security breaches of 2015? originally appeared on Quora: The best answer to any question.
Answer by Sai Ramanan, Lead Quora's Corporate Information Security, on Quora.
Data breaches have become a status quo considering how attackers keep finding paths to infiltrate networks and steal confidential information. Last year, we have seen big industry breaches such as Sony, JP Morgan Chase, Target, eBay etc. This year hasn't changed much. The security industry has seen not just targeted attacks at these organizations but also there is this theme around the nation-state-sponsored hackers because they are generally resourced the best, and their collective motivations run across the spectrum. While the security breach barrage on one end continues, investments are pouring into security technologies on the other end and it's clearly not enough.
Here are the top 10 cyber security breaches of 2015 categorized from least to most compromised records.
When it happened: March 2015
No of records compromised: 500,000 email addresses and other personal account data (phone number, Skype ID, etc.)
confirmed that Slack's hashing function is bcrypt with a randomly generated salt per-password. We have seen so many unauthorized database incidents before. Haven't we? Think about HipChat and Twitch. It was not too long before they experienced similar breach.
Lesson Learned: For companies that are still relying on passwords, it's a blow. Do not just use salting. Invest in technologies and people to prevent hackers getting access to your database in the first place. Overcome the post-breach mindset.
When it happened: July 2015
No of records compromised: 1 million emails
The Hacking Team develops spy tools for government agencies, including those that can go around traditional anti-virus solutions.This breach published more than 1 million emails from the Italian surveillance company, revealing its involvement with oppressive governments as well as multiple Flash zero-day vulnerabilities and Adobe exploits. As a cyber security professional, this is definitely frightening. A full list of Hacking Team's customers were leaked in the 2015 breach that included mostly military, police, federal and provincial governments.
Lesson Learned: Patch your systems and applications. Inventory your systems and applications. This has been extensively covered as part of NIST SP-800-137, SANS CSC and ASD.
When it happened: June 2015
No of records compromised: Affected multiple customers
reported that "We've found that the group behind Duqu 2.0 also spied on several prominent targets, including participants in the international negotiations on Iran's nuclear program and in the 70th anniversary event of the liberation of Auschwitz".
If you don't know about Duqu, it's sometimes referred to as the stepbrother of Stuxnet. One of the most notable features of Duqu 2.0 was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. The technical details about this are published here
Kaspersky's breach just proves that some of the security-conscious organizations can fall victim to determined hackers.
Lessons Learned: Security teams have to adopt this as part of continuous monitoring strategy. Know your network. Train your teams to alert for any suspicious activity on the network. Do not just monitor inbound communications. Be watchful of all the security updates as a general best practice.
7. CareFirst BlueCross BlueShield
When it happened: May 2015
No of records compromised: 1.1 million records
1.1 million members had their names, birth dates, email addresses and subscriber information compromised, but member password encryption prevented cybercriminals from gaining access to Social Security numbers, medical claims, employment, credit card and financial data.
CareFirst discovered the breach as part of a Mandiant-led security review that found hackers had gained access to a database that members use to get access to the company's website and services
Lesson Learned: Enable DNS query logging to detect hostname lookup for known malicious C2 domains. Detect random string entropy - unknown certificates, file names etc. Disclose and communicate data breaches in a timely manner.
When it happened: July 2015
No of records compromised: 7 million users
The password management company LastPass revealed that it had been the victim of a cyberattack, compromising email addresses, password reminders, server per user salts and authentication hashes. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed", the company said.
Salts are really not useful for preventing dictionary attacks or brute force attacks. One of the drawbacks of the hashing algorithm PBKDF2-SHA256 employed by LastPass is that it was not designed to protect passwords.
Lesson Learned: For end users, make sure you rotate master passwords periodically. Also ensure that you have password reminders/recovery questions different for every critical application.
5. Premera BlueCross BlueShield
When it happened: March 2015
No of records compromised: 11.2 million records
Premera BlueCross BlueShield said in March that it had discovered a breach in January that affected as many as 11.2 million subscribers, as well as some individuals who do business with the company. The breach compromised subscriber data, which includes names, birth dates, Social Security numbers, bank account information, addresses and other information. There were suits filed against Premera for waiting roughly six weeks to tell victims that their data might have been exposed. Pile of lawsuits filed against Premera-- for being negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner.
indicates that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the "m" with two "n" characters within the faux domain.
It definitely looks like suspicious domain, prennera.com
which is likely a spoof of Premera, and a malicious payload signed with the same digital certificate as malware from the Anthem hack.
Lesson Learned: Enable DNS query logging to detect hostname lookup for known malicious C2 domains. Detect random string entropy - unknown certificates, file names etc. Monitor for overly short certificates, certificates with missing information, etc. Disclose and communicate data breaches in a timely manner.
When it happened: October 2015
No of records compromised: 15 million people's records
T-Mobile uses Experian to process its credit applications. Experian Plc (EXPN.L
), the world's biggest consumer credit monitoring firm disclosed a massive data breach that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc.
Experian explained the details
on its Web site:
The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services or products, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015.
Brian Krebs reported in his blog
that the Experian's Decision Analysis credit information support portal allowed anyone to upload arbitrary file attachments of virtually any file type. Those experts said such file upload capabilities are notoriously easy for attackers to use to inject malicious files into databases and other computing environments, and that having such capability out in the open without at least first requiring users to supply valid username and password credentials is asking for trouble. Experian's insecurity has dragged T-Mobile into its privacy scandal.
Lesson Learned: Bake security assessment as part of acquisition strategy. Also, do not open systems exposed to internet without any form of authentication.
3. Office of Personnel Management
When it happened: June 2015
No of records compromised: 21-25 million federal workers records (including both breaches)
On Sep23, OPM Press Secretary Sam Schumach stated that "Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million".
These kind of breaches involving biometric data like fingerprints are unique and particularly concerning because you cannot rotate these unlike passwords. These are permanent identity of those people.
(PDF) by OPM's Office of the Inspector General on the agency's compliance with FISMA finds "significant" deficiencies in the department's IT security. The report found OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program. The audit also found that multi-factor authentication (the use of a token such as a smart card, along with an access code) was not required to access OPM systems. "We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency's IT security program," the report concluded.
Lesson Learned: Implement multi-factor authentication for admins accessing sensitive systems, implement continous monitoring strategy. It is important to constantly fine-tune your logs and baseline your environment.
When it happened: July 2015
No of records compromised: 37 million clientele records
Ashley Madison made headline after a hacking group, the Impact team penetrated its servers and published the information of all 37 million users online.
The hackers leaked maps of sensitive information - including internal company servers, employee network account information, company bank account data and salary information. According to security consultant Gabor Szathmari, Ashley Madison may have made things easy for their attackers by writing a variety of credentials directly into their source code -- including database credentials, SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials.
In addition, the database passwords Szathmari found "were between 5 and 8 characters, and many of them contained 2 character classes only." Aside from hardcoded credentials, Szathmari also noted that the website didn't employ form or email validation to help screen out bots.
Lesson learned: Never ever store clear-text sensitive data in your source code, rotate your API tokens and service credentials. Educate software developers about secure coding practices
When it happened: Feb 2015
No of records compromised: 80 million patient and employee records
The breach was revealed in February that exposed an astonishing 80 million patient and employee records. Anthem said the breach exposed names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email addresses, employment information, income data and more. The attack would not have been possible if Anthem had ensured that data at rest was securely encrypted and as a result, millions of peoples' confidential information would not be in the hands of the hackers.
Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT as part of Anthem breach.
indicates that the "Sakula" (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com
. They also confirmed that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.
Lesson learned: Do not just rely on perimeter security. Use a threat intelligence platform to be able to recognize potential malware activity from multiple threat intelligence sources and act upon. Encrypt data-at rest and ensure that the encryption keys, network access control and identity management all work together to ensure data is secure.
In 2016, attacks are only going to get worse and we need to step up our game rather than just relying on tools. More security vendors will be targeted, drones hacked, ERP platforms continuing to be used as conduits to cause real-world physical damage by attacking industrial control systems, more darknets and blackmarkets surge and more nation-sponsored attacks to come.
This question originally appeared on Quora. Ask a question, get a great answer. Learn from experts and access insider knowledge. You can follow Quora on Twitter, Facebook, and Google+. More questions: