Cyber Security Reflections on 2014

Published on December 29, 2014

Over a year ago, Target publicly acknowledged the now infamous data breach. For many weeks afterwards, news of the Target breach dominated the headlines. Cyber security was no longer just a topic for security professionals; the topic had gone mainstream. Sadly, 2013 was quickly eclipsed by 2014 in terms of data breaches.

In a report released on December 9th, 2014, the Identity Theft Resource Center identified 720 separate data breach incidents with an estimated 81.6 million records stolen. On October 10, 2014, Federal officials warned America that more than 500 million financial records had been stolen. If the ITRC’s numbers are alarming, the Federal government’s numbers are downright terrifying. You might as well take out a full-page ad in the NY Times listing your social security number, bank account number, and mother’s maiden name. After all, the bad guys already have the information, so why not just share it with the rest of us?

Reflection #1: 2014 saw an unprecedented number of financial records stolen. Incredibly, our payment systems are still functioning.

In April 2014, a tiny coding bug in the openssl library made global headlines as technology vendors and website owners scrambled to fix the Heartbleed vulnerability. In September, Shellshock hit the news, with the POODLE vulnerability hot on its heels. At least those three vulnerabilities can be fixed. A fundamental flaw in the USB standard, first announced in August, became significantly more likely to be exploited in October, when 2 researches published exploit code samples.

Reflection #2: 2014 saw an unprecedented number of code vulnerabilities make the news.

At Agari, we see email-based fraud every day. What strikes me about 2014 is the sheer number of brands that are being used as the lure in large-scale phishing and malware campaigns. We’ve seen campaigns using E-Zpass, Kohls , PG&E, Adobe, Costco, Walmart, Best-buy, Target, Microsoft, Gmail, Yahoo, AT&T, and hundreds of other brands.

Reflection #3: 2014 saw well-known brands in nearly every sector used as the bait in phishing and malware campaigns. 

Overall, 2014 was a terrible year for cyber security. If 2014 were a movie, it would be “The Empire Strikes Back”. Let’s hope 2015 will be a little more like “Return of the Jedi”.