Cybersecurity: What we learned in 2017
Posted by Peter Bassill on 03/01/2018With 2018 just days old it’s time to reflect on what proved to be another busy year in the world of cybersecurity.Despite all the time and money being spent on keeping information and systems secure it seems you can never legislate for individual errors and poor judgement.But with a new year, now upon us, here’s hoping we can all learn from the mistakes this year to make 2018 safer and more secure than ever.Be careful who you trustThere are certain companies and bodies who we all trust. Be it the NHS with our health records, Equifax with our personal financial records or MPs to protect the country and its secrets. But it seems despite the warnings, individuals are still falling well below expectations and standards needed to keep us and our information safe.
Privacy regulator warns MPs over shared passwords
Massive Equifax data breach hits 143 million
NHS hit by Wannacry attack
Data breaches are fast becoming the normIt seemed to be a case of another day another data breach during 2017 and we’re not talking about small companies who cannot afford or justify spending big money protecting their businesses from cybersecurity attacks.Instead, we are talking about some of the biggest businesses around who still found themselves making the headlines for all the wrong reasons as data breach incidents became more like an everyday occurrence rather than the previous isolated incidents.It was certainly a year to forget for some huge businesses including Uber, The NSA, Wonga, CIA, Deloitte and Apple, as well as those mentioned above, who were all in some part involved in data breach incidents
Uber concealed huge data breach
Apple rushes to fix major password bug
Gender divide is still causing huge problemsA new report issued earlier this month revealed that 87% of CISO roles at Fortune 500 companies are held by men.Fortune 20 companies fared even worse in the study, by Forrester, with just two female CISO's among their staff."Calling a discrepancy this large a gender gap is a clear understatement. This is an emergency signal warning us that the cybersecurity industry has major issues welcoming, developing, and promoting female cybersecurity talent," said Jeff Pollard. Principal Analyst."It's difficult to sympathise with those claiming talent shortage challenges when roughly half of the population is so underrepresented," he added.Women currently represent just 11% of the Cyber Security workforce worldwide but why is it such a problem?There are currently estimated to be more than 1 million unfilled cybersecurity jobs worldwide, which reflects a huge cyber skills shortage, which is only going to get worse, as women continue to leave roles within the industry.According to the National Initiative for Cybersecurity Careers and Studies, “Diversity encourages a culture where divergent opinions can be brought together to develop innovative solutions to solve some of the toughest problems our nation faces today.While a survey by Intel found that 71% of respondents felt that "the shortage in cybersecurity skills causes direct and measurable damage".One in three believed the shortage of skills made their organisations more of a hacking target, while one in four believe a lack of staff has "damaged their organization’s reputation and led directly to the loss of proprietary data through cyber attack".Closing the gender gap will not only help the industry address the skills shortage it will also help us when it comes to security.According to Jane Frankland, who has published the book InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe, women are key to successfully stay a step ahead of the Cyber Criminals."Countless studies have shown that women and men gauge risk differently, she said."Having a wide range of perspectives and thought leadership throughout the whole industry, results in improved protection for businesses, individuals and countries."Closing the gender gap will also be huge for the global economy.According to a report by McKinsey & Co. full gender equality would add 26%, or $28 trillion, to global gross domestic product in 2025.Wifi really could be causing you harmThere has long been talk about the dangers of wifi but 2017 revealed the real size of the problem – which could damage your privacy, security and your bank balance.The “KRACK Attack”- a serious vulnerability in the WPA wireless network security protocol – was discovered in October, which could allow hackers to intercept passwords, photos, banks/credit card details.The problem is that the flaws are in the wifi standard and not in individual products, which is why the potential problem is so widespread.Almost every router, computer and smartphone could be affected. But it seems potential attacks against Linux and Android devices 6.0 or greater could result in devastating problems.What should you do to protect yourself?It is important to ensure that all your wireless devices are updated as soon as firmware updates are available. This means updating your wireless access points as well as your phones, tablets, laptops and anything else that uses wireless technology to connect.Updating Wi-Fi connected-device operating systems (such as Android and iOS) should take priority over updating router firmware. For companies and Governments, wireless should be assumed to no longer be a secure mechanism of network connection and any wireless networks carrying sensitive information should be disabled immediately.Important points to know:The KRACK Attack flaw exists within the WPA protocol itself and not in particular hardware or software productsThe KRACK Attack exists in various forms which target different WPA handshakes
occurring in different situationsAndroid, Linux and OpenBSD devices are especially vulnerable to the KRACK Attack but all operating systems are vulnerable to one form or another of the attackBoth WPA2 and the older WPA are vulnerableBoth personal and enterprise (corporate) WPA/WPA2 networks are vulnerableWe are aware of actual real-life attack code being available at the time of writingWhile the KRACK Attack breaks WPA/WPA2 Wi-Fi encryption, websites transmitting data using SSL/TLS (i.e. those which begin with ‘https://’ in the URL bar) use a separate and additional form of encryption which is not affected by the KRACK Attack.Nothing is safe – not even your children’s toys!Toys, which were tipped to be among the big sellers this Christmas, were found to allow strangers to talk to your child.Research by consumer watchdog Which? found that the Furby Connect, i-Que Robot, Cloudpets and Toy-Fi Teddy all needed no authentication to connect the toys to Bluetooth or wireless devices!As a result, they urged retailers to stop selling the “connected” or “intelligent” toys due to security risks.In Germany, they took things even further telling parents to destroy a talking doll called Cayla because it can reveal personal data. A German regulator has also banned the sale of smartwatches aimed at children after describing them as "spying devices"."Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids' GPS tracking watches - the very watches that are supposed to help keep them safe," said Ken Munro, a security expert at Pen Test Partners told BBC Technology.IoT security firm Armis reported in September that billions of Android, iOS, Windows and Linux devices using Bluetooth had been exposed to a new attack that can be carried out remotely without any user interaction.This means that home devices such as Amazon Echo and Google Home devices are also vulnerable.ConclusionSo while 2017 has been a year littered with data breaches, hacking incidents and worrying discoveries it could help lead to a safer 2018 if lessons were learned and plans put in place – after all prevention is better than cure.To make sure you are aren’t among the businesses making the headlines in 2018 you can start by following our simple tips.