According to a new report from data breach insurance provider Beazley, US ransomware attacks on enterprises quadrupled in 2016. There is no sign that these attacks will slow, in fact they are likely to continue to increase in 2017. Beazley predicts that US ransomware attacks will double in 2017.
Half of US Ransomware Attacks Affected Healthcare Organizations
The sophisticated nature of the latest ransomware variants, the broad range of vectors used to install malicious code, and poor user awareness of the ransomware threat are making it harder for organizations to prevent the attacks.
For its latest report, Beazley analyzed almost 2,000 data breaches experienced by its clients. That analysis revealed not only that US ransomware attacks had increased, but also malware infections and accidental disclosures of data. While ransomware is clearly a major threat to enterprises, Beazley warned that unintended disclosures of data by employees is actually a far more dangerous threat. Accidental data breaches increased by a third in 2016.
US ransomware attacks and malware incidents increased in the education sector, which registered a 10% rise year on year. 45% of data breaches experienced by educational institutions were the result of hacking or malware and 40% of data breaches suffered by companies in the financial services. However, it was the healthcare industry that experienced the most ransomware attacks. Nearly half of 2016 US ransomware attacks affected healthcare organizations.
The report provides some insight into when organizations are most at risk. US ransomware attacks spiked at the end of financial quarters and also during busy online shopping periods. It is at these times of year when employees most commonly let their guard down. Attackers also step up their efforts at these times. Beazley also points out that ransomware attacks are more likely to occur during IT system freezes.
Ransomware Attacks on Police Departments Have Increased
Even Police departments are not immune to ransomware attacks. Over the past two years there have been numerous ransomware attacks on police departments in the United States. In January, last year, the Midlothian Police Department in Chicago was attacked with ransomware and paid a $500 ransom to regain access to its files.
The Dickson County Sheriff’s Office in Tennessee paid $572 to unlock a ransomware infection last year, and the Tewksbury police department in Massachusetts similarly paid for a key to decrypt its files. In 2015, five police departments in Maine (Lincoln, Wiscasset, Boothbay Harbor, Waldboro and Damariscotta) were attacked with ransomware and in December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection. The attack resulted in video evidence dating back to 2009 being encrypted. However, since much of that information was stored in backup files, the Cockrell Hill Police Department avoided paying the ransom.
Defending Against Ransomware
Unfortunately, there is no silver bullet to protect organizations from ransomware attacks. Ransomware defenses should consist of a host of technologies to prevent ransomware from being downloaded or installed, but also to ensure that infections are rapidly detected when they do occur.
Ransomware prevention requires technologies to be employed to block the main attack vectors. Email remains one of the most common mediums used by cybercriminals and hackers. An advanced spam filtering solution should therefore be used to prevent malicious emails from being delivered to end users. However, not all malicious attachments can be blocked. It is therefore essential to not only provide employees with security awareness training, but also to conduct dummy ransomware and phishing exercises to ensure training has been effective.
Many US ransomware attacks in 2016 occurred as a result of employees visiting – or being redirected to – malicious websites containing exploit kits. Drive-by ransomware downloads are possible if browsers and plugins are left unpatched. Organizations should ensure that patch management policies are put in place to ensure that all systems and software are patched promptly when updates are released.
Given the broad range of web-based threats, it is now becoming increasingly important for enterprises to implement a web filtering solution. A web filter can be configured to prevent employees from visiting malicious websites and to block malvertising-related web redirects. Web filters can also be configured to prevent employees from downloading malicious files and engaging in risky online behavior.
The outlook for 2017 may be bleak, but it is possible to prevent ransomware and malware attacks. However, the failure to take adequate preventative steps to mitigate risk is likely to prove costly.
A recently released 2016 data breach report has shown that the number of data breaches reported by businesses has remained fairly constant year on year. 4,149 data breaches were reported between January and December 2016, which is broadly on a par with the figures from 2015.
2015 saw the largest ever healthcare data breach ever reported – The 78.8 million record data breach at Anthem Inc. There were also two other healthcare data breaches in 2015 that resulted in the theft of more than 10 million records. The 11-million record breach at Premera Blue Cross and the 10-million record breach at Excellus BlueCross BlueShield.
2016 saw more data breaches reported by healthcare organizations than in 2015, although the severity of the attacks was nowhere near as bad. More than 27 million healthcare records were exposed in 2016, whereas the total for 2015 was in excess of 113 million.
2016 Data Breach Report Shows Severity of Cyberattacks Has Dramatically Increased
While the severity of healthcare data breaches fell year on year, the 2016 data breach report from Risk Based Security shows an overall increase in the severity of data breaches across all industries. 2016 was a record-breaking year.
In 2013 more than 1 billion records were exposed or stolen – the first time that the 1 billion record milestone had been passed. 2016 saw that previous milestone smashed. More than four times as many records were stolen in 2016 than in 2013. 2016 data breaches exposed an incredible 4.2 billion records.
The RBS 2016 data breach report details 94 data breaches that exposed more than 1 million records. 37 breaches resulted in the exposure of more than 10 million records. The United States was the biggest target, accounting for 47.5% of the data breaches reported over the course of the year.
Healthcare data breaches hit the headlines frequently in 2016 due to the potential impact they had on the victims. However, healthcare industry data breaches only made up 9.2% of the annual total. The business sector was the worst hit, accounting for 51% of breaches in 2016. Government organizations made up 11.7% of the total and education 4.7%.
According to the RBS 2016 data breach report, the top ten data breaches of 2016 exposed an incredible 3 billion records and the average severity score of those breaches was 9.96 out of 10. All but one of those security breaches was caused by hackers. One of the incidents was a web-related breach. Six of the data breaches reported in 2016 ranked in the top ten list of the largest data breaches ever reported.
Six 2016 Security Incidents Ranked in the Top 10 List of Largest Ever Data Breaches
The largest data breach of 2016 – and also the largest data breach ever reported – was the hacking of Yahoo. More than 1 billion user credentials were exposed as a result of that cyberattack. While malware is a major threat to businesses, malware attacks only accounted for 4.5% of data breaches in 2016. Hacking exposed the most records and was the main cause of 2016 data breaches, accounting for 53.3% of incidents and 91.9% of the total number of stolen records.
Many organizations also reported being attacked on multiple occasions. The 2016 data breach report shows that 123 organizations reported multiple data breaches in 2016 and 37% of those organizations reported experiencing three or more data breaches between January and December.
According to RBS, more than 23,700 data breaches have now been tracked. In total, more than 9.2 billion records have been exposed or stolen in those incidents. According to RBS Executive vice president Inga Goddijn, “Any organization that has sensitive data – which is every organization with employees or confidential business information – can be a target.”
Cyberattacks are coming from all angles. Employees are being targeted via email, the volume of malware-laden websites and phishing sites has soared, malvertising is increasing and hackers are exploiting unpatched software vulnerabilities.
It is difficult to predict how bad 2017 will be for cybersecurity breaches, but it is fair to assume that data breaches will continue to occur at a similar level. Organizations need to respond by increasing their cybersecurity defenses to prevent attacks from occurring, but also to prepare for the worst and ensure they are ready to deal with a breach when one occurs. A fast response can limit the damage caused.
The use of web filters in libraries has been in the headlines on many occasions in recent months. There has been much debate over the extent to which libraries should allow patrons to exercise their First Amendment freedoms and whether Internet access should be controlled.
Many libraries in the United States choose not to implement web filters to control the content that can be accessed on their computers, instead they tackle the problem of inappropriate website access by posting acceptable usage guidelines on walls next to computers.
However, patrons of libraries can have very different views of what constitutes acceptable use. Many users of library computers take advantage of the lack of Internet policing and use the computers to view hardcore pornography.
While this is every American’s right under the First Amendment, it can potentially cause distress to other users of libraries. Libraries are visited by people of all ages including children. It is therefore possible that children may accidentally view highly inappropriate material on other users’ screens.
Libraries that apply for government discounts under the e-rate program are required to comply with the Children’s Internet Protection Act (CIPA). The legislation, which went into effect on April 20, 2001, requires schools and libraries to implement controls to restrict Internet access and prevent the viewing of obscene images, child pornography, and other imagery that is harmful to minors. However, it is only mandatory for libraries to comply with CIPA regulations if they choose to take advantage of e-rate discounts. Many libraries do not.
A recent article in DNA Info has highlighted the extent to which library computers are used to access pornography. One patron recently reported an incident that occurred when she visited Harold Washington Library in Chicago to complete forms on a library computer. She claimed that the person on the computer next to her was viewing hardcore pornography and was taking photographs of the screen using his mobile phone camera.
That individual was viewing material of very explicit nature and the screen was in full view of other users of the library. When the woman mentioned what was going on to a security guard, she was told that there was nothing that could be done. The library had chosen to honor patrons First Amendment Rights, even though those rights were in conflict with public decency. A reporter spoke to one librarian who said “Up here in this branch there’s porn 24/7.”
Most libraries in Chicago do not use web filters to limit access to obscene material, although that is not the case in all libraries in the United States. The reverse is true in libraries in Wisconsin for example.
The American Library Association does not recommend the use of web filters in libraries and instead believes the issue of inappropriate website usage should be tackled in other ways, such as to “remind people to behave well in public.”
The debate over First Amendment rights and the blocking of pornography in libraries is likely to continue for many years to come. However, institutions that are commonly frequented by individuals under the age of 18, who are not permitted by law to view pornography, efforts should be made to protect them from harm. If technical measures such as web filters are not used to block pornography in libraries, at the very least libraries should use privacy screens to limit the potential for minors to view other users’ screens.
Do you believe patrons of libraries should be allowed to view any and all website content? Should First Amendment rights extent to the viewing of pornography in libraries?
Credential stuffing attacks on enterprises are soaring according to a recent study conducted by Shape Security. The massive data breaches at the likes of LinkedIn, Yahoo, MySpace have provided cybercriminals with passwords aplenty and those passwords are used in these automated brute force login attempts.
Organizations that have discovered data breaches rapidly force password-resets to prevent criminals from gaining access to users’ accounts; however, stolen passwords can still be incredibly valuable. A study conducted by Microsoft in 2007 suggested that the average computer user has 25 accounts that require the use of a username and password, while Sophos suggests users have an average of 19 accounts.
Password managers can be used to help individuals remember their login credentials, but many people have not signed up for such a service. To remember passwords people just recycle them and use the same password over and over again. Cybercriminals are well aware of that fact and use stolen passwords in credential stuffing attacks on websites and mobile applications.
Shape Security suggests that for many enterprises, 90% of login traffic comes from credential stuffing attacks. Those attacks can be highly effective and since they are automated, they require little effort on the part of the attacker. A batch of passwords is purchased from any number of sellers and resellers on darknet marketplaces. A target site is identified and an automated script is developed to login. The criminals then scale up the assault by renting a botnet. It is then possible to conduct hundreds of thousands of login attempts simultaneously.
Many of the stolen credentials are old, so there is a high probability that passwords will have been changed, but not always. Many people keep the same passwords for years.
The success rate may be low, but the scale of the credential stuffing attacks gives cybercriminals access to hundreds of thousands of accounts.
Shape Security researchers suggest the success rate of these attacks is around 2%. To put this into perspective, if the passwords from the Yahoo data breach were used in credential stuffing attacks, which they almost certainly are, a success rate of 2% would give criminals access to 20 million user accounts.
There is certainly no shortage of passwords to attempt to use to gain access to accounts. According to the report, more than 3 billion username and password combinations were stolen by cybercriminals in 2016 alone. That would potentially give the attackers access to 60 million accounts.
These attacks are not hypothetical. During a 4-month observation period of just one major U.S. retailer in 2016, Shape Security discovered that 15.5 million attempted logins occurred. Even more worrying was that more than 500,000 of the retailer’s customers were using recycled passwords that had previously been stolen from other websites.
Additionally, as a recent report from SplashData has shown, weak passwords continue to be used. The top 25 list of the worst passwords in 2016 still contains very weak passwords such as 123456 and password. These commonly used passwords will also be attempted in brute force attacks. SplashData suggests as many as 10% of Internet users use at least one of the passwords in the top 25 worst password list.
These studies highlight the seriousness of the risk of recycling passwords and send a clear message to organizations: Develop mitigations to prevent the use of stolen credentials and ensure that password policies are developed and enforced.
Internet censorship laws in two U.S. states may be augmented, forcing Internet service providers and device manufacturers to implement technology that blocks obscene material from being viewed on Internet-connected devices.
North Dakota has recently joined South Carolina in proposing stricter Internet censorship laws to restrict state residents’ access to pornography. There is growing support for stricter Internet censorship laws in both states to block pornography and websites that promote prostitution, and it is believed that stricter Internet censorship laws will help reduce human trafficking in the states.
The new Internet censorship laws would not prevent state residents from accessing pornography on their laptops, computers and smartphones, as the technology would only be required on new devices sold in the two states. Any new device purchased would be required to have “digital blocking capability” to prevent obscene material from being accessed. Should the new Internet censorship laws be passed, state residents would be required to pay $20 to have the Internet filter removed.
The proposed law in North Dakota – Bill 1185 – classifies Internet Service Provider’s routers and all laptops, computers, smartphones, and gaming devices that connect to the Internet as “pornographic vending machines” and the proposed law change would treat those devices as such. The bill would also require device manufacturers to block ‘prostitution hubs’ and websites that facilitate human trafficking. If passed, the ban on the sale of non-filtered Internet devices would be effective from August 1, 2017.
Lifting of the block would only be possible if a request to remove the Internet filter was made in writing, the individual’s age was verified in a face to face encounter, and if a $20 fee was paid. Individual wishing to lift the block would also be required to receive a written warning about the dangers of removing the Internet filter.
The fees generated by the state would be directed to help offset the harmful social effects of obscene website content, such as funding the housing, legal and employment costs of victims of child exploitation and human trafficking. Fees would be collected at point of sale.
Device manufacturers would have a duty to maintain their Internet filter to ensure that it continues to remain fully functional, but also to implement policies and procedures to unblock non-obscene website content that has accidentally been blocked by filtering software. A system would also be required to allow requests to be made to block content that has somehow bypassed the Internet filtering controls. Requests submitted would need to be processed in a reasonable time frame. Failure to process the requests promptly would see the company liable to pay a $500 fine per website/webpage.
State Representative Bill Chumley (R‑Spartanburg) introduced similar updates in South Carolina last month, proposing changes to the state’s Human Trafficking Prevention Act. Both states will now subject the proposed bills to review by their respective House Judiciary Committees.