The year behind us was full of bombastic titles of attacks and concerns about the privacy of users. How many were we really in danger?
The past year will be remembered for the fight that has raged around the private data of citizens. On the one hand, the European GDPR legislation came into force, and on the other hand, the old and new flaws that Facebook and Google giants have had in the domain of protecting the data of their users were discovered.
Data from tens of millions of people have been compromised in these two attacks, and Google has launched the Google+ shutdown process after a repeated problem. But far from being the only attacks on user data. The same happened in the case of Quora and Reddit sites, but much more worrying about attacks on British Airways and Marriott Hotels where they leaked information about personal documents (passports), payment cards … And only attacks on many health organizations in which they were stolen sensitive data about patients – according to Forbes, only in the third quarter of 2018, 4.4 million patients were stolen!
Less attention is drawn to the number of people whose data are compromised – although these figures are troubling – it is much more important what will happen with these data. They mostly end up in the black market, and often with more years of delay we find out that they are stolen at all. When we match this with the fact that every 44 seconds an attempt is made to break the protected data, it becomes clear that the problem can only escalate if no adequate measures are taken.
DDoS does not quit
The concept of DDoS attacks was heard in 2010. Then, due to the pressure on WikiLeaks, the Anonymous group began using this type of attack as a form of activism (hacking) by attacking organizations such as MasterCard, Visa, PayPal for refusing to process donations to WikiLeaks.
Although DDoS was then receiving a lot of public attention, this type of attack did not stop being used, on the contrary. The largest confirmed DDoS attack so far was in February 2018 and lasted 20 minutes. “Victim” was GitHub and the attack had a power of 1.3 terabytes per second! Adequate protection prevented this from happening more seriously to the functioning of this service.
DDoS attacks have become more powerful, and attackers are smarter – finding new ways to disrupt the operation of the attacking systems. At the same time, the number of attacks is decreasing – in the first half of 2018 it was 13 percent less than a year earlier. However, it is still more than 400,000 DDoS attacks per month globally.
The lack of mobile authentication
The year behind us will remain for many remembered by the incredible growth of the so-called ” SIM swapping method. Although these attacks were earlier, their number exploded this year. And to the extent that the REACT Task Force, the US Agency for Combating Technological Crime, shifted its focus to criminals using this type of attack in 2018.
The reason for this is the increasing number of victims who invested in cryptofts, which within a few minutes after successful phone number retrieval, remain without millions of dollars! It was as if the robbed were sued by mobile operators AT & T and T-Mobile because they did not protect them in an adequate way. This type of attack is actually just one of the problems of mobile authentication. Except for SIM swapping, attackers of a one-time code sent by SMS can also intercept the use before the victim. In December, a massive phishing attack was reported that allowed criminals access to Gmail and Yahoo bulletins.
Mobile operators are trying to solve this by providing other authentication methods, but most are choosing from a user’s point of view a simple system of using header enrichment techniques that sends verification credentials to an unsecure HTTP protocol. It is superfluous to say that at the present time it simply can not be a solution!
What comes in 2019?
Considering the activities that damaged the security of data centers, applications and services, as well as the users themselves in the course of 2018, this year will be in the focus of technology and approaches that will reduce the effectiveness of the attack. Zero Trust Security is an approach to protecting the security of information systems that starts from not trusting anyone and that each activity must be verified, regardless of whether it is internal or external users. Although this approach was expected to be in focus in 2018, it seems that it is only in 2019 that it is the right time to apply it.
Biometric authentication is imposed as an increasingly common method because users want to be less involved with the login process. Although more and more, the issue of data privacy, as well as the emergence of methods that successfully copy fingerprints or voice of the user, make this method already insufficiently safe.
The security of the IoT device will become even more important. The number of devices is growing, eSIM technology will make it easier to connect, but also make it easier to access attacks. Due to the poor security of the IoT device, it also begins to talk about laws that will make manufacturers responsible if the users of the device do not “make” to the default, unsafe code immediately after the device starts to change.
SIM swapping attack
The attack SIM swapping method takes place in a few steps. The criminal first acquires a new, active SIM card. Then he calls the mobile operator and reports that he has lost his phone and wants to connect his phone number to the SIM card he is currently using. With the check, which is obviously insufficient, the operator transfers the number to the new SIM card, and from that moment the attacker has access to everything that the victim has linked to his phone number. This often includes access to all online services and profiles, with verification over the phone and sending a one-time code via SMS. The victim is mostly too late to realize that there is a problem. And the first signal is the sudden disappearance of the mobile signal, which comes when the operator transfers the phone number to a new SIM card.
Attacks on user devices will be increasingly numerous. On the one hand, they are relatively unsafe and users are willing to pay a certain amount to return them under their control (in the case of ransomware attacks). This may apply to any smart device connected to the Internet. On the other hand, users bring their devices into a business environment and use a number of applications that have access to sensitive data, which will affect the change of logging mode. Operators are here setting up a solution – in the US, a group of operators have launched Project Verify, and IPification technology comes in, which can be “converted” by each operator to a page that will safely verify the user.
GDPR compliance as a service will gain significance. At a time when legal regulations force companies to look more carefully on user data, small organizations are not able to devote themselves to this topic in an adequate way. They are turning to tools that are compliant with the regulations, but to make sure they do not violate the rules – they are expected to outsource management of the entire system of tools in 2019.
The five trends we have highlighted are not the only ones that are being talked about. It is also expected that criminals instead of stealing data from various databases will start to change them, and artificial intelligence will gain an increasingly noticeable role – both on the protection side and on the attack side. All of this will lead organizations to decide to pay insurance in the event of a cyber attack, and the Chief Cybersecurity Officer (CCO) comes to the top of companies.
In a year, before the end of 2019, we will see what happened to all of this …