2014 is likely to be long remembered as the year of the most far-reaching, long-standing open-source secure sockets layer (SSL) vulnerabilities. In the space of just a few months organisations have had to deal with Heartbleed, Shellshock and Poodle.
But the onslaught did not stop there and was not confined to open source, with many security experts declaring Microsoft’s Secure Channel (SChannel) flaw potentially worse than Heartbleed and Shellshock.
And while the discovery of long-standing bugs dominated the headlines, the Conficker Working Group (CWG) highlighted the fact enterprise computers continue to be infected by the six-year-old Conficker worm, which disables their antivirus and Windows update systems.
2014 is also likely to be remembered as the year of high-profile data breaches, particularly in the retail, healthcare and financial sectors.
A significant hack at Sony Pictures Entertainment in late November revealed a growing need for IT security teams to be prepared for potentially devastating data thefts and destructive malware capable of killing computers and disabling networks.
However, in most sectors cyber security awareness is not very well developed – first responders say there is a continued failure to put effective cyber incident response systems and processes in place and research shows many organisations are still struggling to manage data securely, prepare for potential crisis scenarios, and defend against hacking and other cyber threats.
Despite growing concerns in 2014 about the security risks posed by the internet of things (IoT), research revealed less than half of IT professionals are working on projects to prepare their businesses for these inter-connected technologies.
Here are Computer Weekly's top 10 IT security stories of 2014:
The Heartbleed vulnerability in OpenSSL is widely considered as a major blow for internet security and open-source development. Given the widespread use of OpenSSL, businesses have been urged to verify whether their version of OpenSSL is affected. The important thing to note is that only businesses using OpenSSL 1.0.1 through to OpenSSL 1.0.1f are at risk.
OpenSSL 1.0.0 and 0.9.8 are safe, useable and do not have the same vulnerability. All websites, online service providers and other organisations that use vulnerable versions OpenSSL to encrypt transactions should take action immediately if they have not done so already.
Some security experts warned a bug in the Bash software used to control the command prompt in many Unix computers that was made public in September could be a bigger threat than the Heartbleed OpenSSL bug. They urged any organisation running Unix-based computers to install the appropriate security updates immediately.
Hackers could exploit the flaw in Bash (Bourne Again Shell) to take complete control of a targeted system, prompting the UK Computer Emergency Response Team to issue an alert. Like Heartbleed, the Bash bug affects millions of computers because the bug existed long before it was made public and the Bash software is installed on most Unix-based computers.
In November, security researchers warned that a newly discovered critical SSL weakness in Microsoft’s Windows operating system could be worse than Heartbleed and Shellshock. Microsoft released a security update to address the vulnerability and security experts said installing the update should be a top priority for system administrators.
The flaw in Microsoft’s SChannel implementation could allow a remote, unauthenticated attacker to execute arbitrary code. The SChannel security component implements the SSL and transport layer security (TLS) protocols.
While many security experts called for action to deal with the Heartbleed and Shellshock vulnerabilities, the CWG lamented the fact enterprise computers continue to be infected by the six-year-old Conficker worm, saying it reflects the “sad state of affairs of IT security".
“The problem is that Conficker has lost its buzz and is not regarded as a threat anymore,” Rodney Joffe, chair of the CWG told Computer Weekly.
Researchers revealed the Conficker worm accounted for almost a third of the top 10 malware infections in PCs for the first half of 2014, and that it has infected millions of computers in more than 200 countries. Although Conficker is no longer active, with the last new variants of the worm appearing in March 2009, it continues to infect PCs and disable their antivirus and Windows update systems.
As the number of cyber attacks on retailers increased through the year, Verizon warned that the sector is making it easy for hackers to access their IT systems and steal lucrative financial data.
“Very few data breaches in the retail sector can be attributed to advanced attacks,” said Paul Pratley, investigations manager at Verizon. “Retailers will often claim they have been the victims of sophisticated cyber attacks, but that is often aimed at covering basic security failings.”
Verizon's 2014 Data Breach Investigations Report revealed attackers continue to use only a few simple techniques to steal data from retail organisations, and the most basic problem is that point-of-sale devices are often open to the internet and protected only by weak passwords, default passwords and even no passwords at all. Attackers scan the internet for open remote access ports and gain access simply by trying a series of common passwords until the correct one is found. They are then free to install malware to collect and exfiltrate payment card data.
Through 2014, cyber incident response capabilities continued to be poor, with investigators called in after organisations were hit by cyber attacks, reporting that in many cases there is no effective incident response plan.
The most basic problem is people at many organisations still do not consider cyber attacks as inevitable, because they either believe their defences are good enough or they don't think they will be targeted. Another common cause is that organisations do not understand the true value of effective incident response plans in reducing the scope of an attack by identifying its source and shutting it down quickly.
The lack of an incident response plan means organisations can take up to 10 weeks to understand what happened. This is often compounded by the fact even when they do find out what went wrong, IT managers may not tell anyone in an effort to cover their own backs.
Organisations are still struggling to manage data securely, prepare for potential crisis scenarios and defend against hacking and other cyber threats, according to a report published in September. A lack of confidence in their ability to prevent a cyber attack or data breach is a key factor, according to the 2014 IT Security and Privacy Survey by global consulting firm Protiviti.
This lack of confidence among IT professionals, despite a high level of awareness of security risks by executives, underlines the need for strong incident response planning and execution, the report said.
Cyber security awareness is still in its infancy in most organisations despite the quick returns it can deliver, said security training and certification body the Sans Institute. Although the UK is among the leading countries in this regard in Europe, it still has a long way to go, according to training director for the Sans Securing The Human Program Lance Spitzner.
“Norway is the clear leader in Europe and even internationally, with around 30 government organisations taking the lead on security awareness training a few years back,” he told Computer Weekly.
Information security awareness was almost unheard of three years ago, but this is beginning to change, according to Spitzner.
“We are starting to see increased interest, but mainly from the financial, government, defence and manufacturing sectors, because they have the most to lose from being hacked,” he said. Despite also being prime targets for cyber attackers, the hospitality, healthcare and retail sectors are still lagging behind in most parts of the world.
In the wake of a huge cyber attack on Sony Pictures Entertainment, the FBI warned companies to be on the lookout for computer-killing malware, and security experts pointed to several key lessons to be learned from the attack. These include the need for organisations to encrypt all sensitive data, to store passwords separately from the files they unlock, to use two-factor authentication, to keep sensitive personal data separate from other data, and to carry out regular external security checks to ensure obvious security risks are eliminated. They also pointed to ensuring, if attackers are able to get into the network, it is difficult for them to move around without restriction.
Just 41% of IT professionals are working on projects to prepare their business for the IoT, despite 71% realising it will affect both consumers and businesses. There is also a lack of focus and investment on security, despite 86% of IT professionals expecting security and privacy issues to be caused by IoT.
IT community Spiceworks questioned 440 IT professionals for the research report The Devices are Coming! It revealed 30% of IT professionals are preparing for IoT, with 68% investing in hardware infrastructure and 55% expanding bandwidth. A total of 68% of respondents said they support two or more devices per employee, and 61% expect the number of supported devices to grow in the next five years.
“This acceleration of internet-connected devices in the workplace will have a dramatic impact on how IT professionals manage the devices in their network,” said Spiceworks.