The 10 Biggest Security Stories Of 2013
Cybersecurity Highs And Lows
There were a number of big wins in the security industry in 2013, but threats and security incidents made up some new lows for corporate security and data privacy. CRN pulled together this list of security stories highlighting issues that had the biggest impact in 2013 and could continue to influence the security industry into 2014 and beyond.
It's worth pointing out some big stories that didn't make the list: Microsoft launched a bug bounty program, reversing a longheld stance. In January, whitelisting vendor Bit9 suffered a serious breach in which attackers stole digital certificates. Health-care security received increased attention with the enforcement of the Health Insurance Portability and Accountability Act and an expansion of the act to third-party providers. Finally, denial of service attacks were in the spotlight due to a significant increase in attacks against the financial sector and the high-profile DDoS campaign against Spamhaus.
Here's a look at the security stories making our list and could most impact the channel in 2014 and beyond.
10. Apple Biometrics: Password Alternative?
Apple launched the iPhone 5s in September with a fingerprint sensor supporting device access and making purchases on its iTunes store. It remains to be seen whether the adoption of biometrics by a major technology provider will help foster widespread adoption of the technology, say solution providers. Corporate laptops have had support for biometric fingerprint identification for years, but many companies use alternative forms of verification because they are proven to be more consistent, they say.
Meanwhile, Noc Noc Labs and other startups are aiming to broaden adoption of technologies that replace the username and password. Noc Noc started the FIDO Alliance, a consortium of technology providers that aims to create password alternative technologies that are interoperable. The FIDO group is gaining momentum with Microsoft joining the group's board of directors in December.
9. Companies Embrace Two-Factor Authentication
Some cloud services and social media networks bolstered their security systems this year following a string of password breaches that began in 2012. LinkedIn, Twitter and Evernote launched two-factor authentication features. Meanwhile, Amazon launched a Web service to enable businesses to accept Facebook, Google or Amazon.com credentials as part of verification.
Valid account credentials represent the holy grail for cybercriminals. End users often reuse the same username and password combination for a variety of places, including access to their work PC.
Solution providers recommend stronger password management policies to their clients as well as stronger database controls, including encryption (salting and hashing) of customer passwords stored on their servers.
8. Cryptolocker
The Cryptolocker ransomware, which surfaced in September, is being named one of the most menacing threats of 2013. Unlike other forms of ransomware, which security researchers say can be easily terminated and removed, Cryptolocker uses high-grade encryption against a victim's files and can spread to network-based storage appliances and cloud-based backup services.
At the core of the threat is a demand for Bitcoin payment to retrieve the key needed to unlock the files within several days of the infection. Some firms are said to have paid the ransom. The cybercriminals, they say, have been following through with those who pay by providing the key. Solution providers told CRN that other companies that had an offline backup were forced to reimage their systems following Cryptolocker infections.
7. Huawei Woes
China-based Huawei continues to be enveloped in the turmoil against surveillance activities, following concern from U.S. lawmakers that its hardware components could contain back-door access for Chinese spies.
The U.S. House of Representatives' Permanent Select Committee on Intelligence labeled Huawei a "national security risk" in late 2012. The company is the No. 2 maker of telecom equipment globally, behind Ericsson. Huawei Enterprise U.S.A., the Cupertino, Calif.-based subsidiary of Huawei, launched a channel program in 2011 to fuel sales of its devices in the U.S. This year, the firm insisted it was staying in the U.S. market, pledging that it was investing in its partner channel program.
The company is using the NSA surveillance revelations to help foster a discussion about transparency among technology providers. The company has said it fears knee-jerk reactions from lawmakers could break up longstanding Internet and telecommunication services into inefficient silos around the world.
6. Cisco's Acquisition Of Sourcefire
Sourcefire founder and CTO Martin Roesch (pictured) will be toasting the new year as he continues to lead the network security appliance vendor's product innovation under the Cisco umbrella. Many security industry observers see Cisco's $2.7 billion acquisition of Sourcefire as a sign that it is modernizing its portfolio to be a network security market leader. The price tag was a premium, say security analysts, but Cisco obtains best-of-breed, time-tested technology.
Sourcefire's intrusion prevention system is based on the popular open-source Snort software created by Roesch. It conducts real-time traffic analysis, sniffing and packet logging. With the market for technologies that address advanced threat detection remaining hot, Cisco is in place to compete against Palo Alto Networks and Check Point Software Technologies with capabilities that rival industry newcomer FireEye for advanced threat detection and suspicious file analysis.
5. FireEye Goes Public
Security vendor FireEye took its suspicious file analysis appliances public in September and was fully embraced by Wall Street. Despite the IPO being valued at $20 per share, the stock ended its first day of trading with gains of 80 percent at $36 per share. The company is 100 percent channel.
FireEye appliances -- a separate one is needed for Web, email and content filtering --- were expanded this year to include a cloud-based mobile and email protection service. At the core of the company's technology is its virtualized sandbox, which detects suspicious files and analyzes their behavior to determine if they are a malware threat.
FIreEye CEO Dave DeWalt told CRN that the FireEye platform is not a point product. Plans are in the works to build it out, he said. Meanwhile, next-generation firewall vendors, including Palo Alto Networks and intrusion prevention systems such as Cisco-Sourcefire, have capabilities designed to inspect files for malware.
4. Java Attacks
Oracle released updates to its Java platform to address a significant increase in attacks targeting weaknesses in the ubiquitous programming language. Java vulnerabilities accounted for more than 90 percent of attacks in 2013, according to Kaspersky Lab. Attackers were targeting both zero-day flaws and patched vulnerabilities in the platform, prompting calls from security experts for users to disable it in their browser.
Oracle bolstered its internal incident response and software security processes. The company introduced a variety of restrictions into the software, adding more robust certificate validation and a hardened Java applet container to prevent malicious code from breaking out onto a victim's system. The company also separated its browser Java from server use, since browser-based Java applets are targeted more often. It also added ways to make it easier for IT admins to whitelist only needed Java applets.
3. Adobe Customer, Source Code Breach
There was less attention paid to Adobe Systems from a threat perspective in the first half of the year as cybercriminals turned their exploits against Java. The company had been implementing new defensive technologies to make it difficult for attackers to target its users. Its strategy of automating the patching process for its ubiquitous Flash Player, Adobe Reader and Acrobat software seemed to be paying off. The company also moved the architect of its product security transformation into the role of chief security officer. Adobe CSO Brad Arkin (pictured) told CRN he would pay attention to the company's overall security strategy and said the company would also step up its focus on cloud security.
Months later the massive Adobe security breach quickly deflated any gains the company had made. More than 35 million customer passwords were exposed as well as its product source code. Investigators are still determining the cause of the massive breach and the fallout is still unclear, said Wolfgang Kandek, chief technical officer at vulnerability management vendor Qualys.
2. Mandiant APT1 Report
Security researchers have long pointed to China as the source of the bulk of cyberespionage activity against U.S. companies. But the Mandiant APT1 report, which came out in March, provided a definitive link to the Chinese government. The group was responsible for targeting hundreds of companies, remaining on systems for up to a year or longer before being detected.
The report preceded the discovery of a bevy of new targeted attacks designed to steal intellectual property from a variety of companies. The advanced persistent threats targeted businesses large and small, government agencies, defense contractors and manufacturers.
While custom malware, zero-day attacks and new watering hole techniques have been documented, nation-state attackers use fairly common techniques to gain a foothold in an organization. Mandiant found the group targeting configuration weaknesses, common vulnerabilities in browsers and browser components, and carrying out phishing attacks against employees.
1. Edward Snowden And NSA Surveillance
When the government contractor stole potentially thousands of classified documents outlining the extent of the National Security Agency's surveillance dragnet, he created a security incident that could have the biggest impact of any data breach in modern history. Most of the discussion is on the scope of the agency's Internet spying, exposing an unprecedented data collection program targeting citizens abroad and in the U.S.
Reports centered around the agency's cell phone metadata collection program, its drive to break widely used encryption algorithms and its ability to gather massive amounts of Internet communications between the data centers of Google, Yahoo and other major firms. The documents also paint a picture of the potential for collusion between the NSA and global technology giants to give intelligence gatherers back-door access into their products as part of the price for being based on U.S. soil. The fallout from the leaked documents is still being measured. But solution providers say it could erode trust in U.S. technology companies.