Whether it’s your credit card at Target, your laptop at the airport, or just the phone in your pocket, 2014 was a heck of a year for cybersecurity. HP has officially published its annual Cyber Risk Report, and the findings echo the concerns computer security researchers and analysts of raised all year.
In this summary of the company’s 74-page analysis covering nearly every aspect of the security landscape as it stands today, we’ll give you a detailed breakdown of what HP believes were the biggest infections of the past year, the problems you should watch out for today, and which direction threats might come from in 2015.
Strap in, people. 2015 is going to be a bumpy ride.
The last few years have been filled with stories of hackers swiping credit card information off individual computers using tools like key-loggers, screen-shotters and good old fashioned trojans. In 2014, though, the hacking underground figured out to tap into a much larger cache of data; retail stores. These companies may be a bit harder to attack than a home PC, but they provide a “target-rich” environment once compromised.
Target, Home Depot, and Lowe’s are just a few of the major retailers that lost millions of credit cards due to what’s been dubbed POS (point-of-sale) malware. The fresh technique exploits vulnerabilities that exist on cashier systems running software based on operating systems like Windows XP and Linux, scraping the RAM modules of the machines in order to skim the details of every card that’s swiped through the system.
HP’s report drives home the severity of the situation, saying “in the Target breach, the details of over 40 million credit and debit cards and the information of 70 million customers were stolen. In the case of Home Depot, 56 million credit and debit card account details were taken. And these are only the biggest incidents.”
Many of the most successful campaigns ran for months at a time before a company’s internal IT team noticed the anomaly, and as such, the previously secure systems we trusted our financial data to have become a breeding ground for some of the most inventive malware permutations to date.
In the case of Home Depot, 56 million credit and debit card account details were taken.
The Cyber Risk Report also pointed the problem of news cycle fatigue. HP noted that the attack on Target, which came first, grabbed the lion share’s of attention, while later hacks received much less press. This could add to the risk, as customers may never know about an attack if it’s not covered in the news.
As data about these breaches become public, HP believes that retailers will begin devoting more resources to combating the problem as a whole. Whether or not this strategy will be successful over time remains to be seen.
While mobile malware continues to be one of the most rapidly growing sections of the criminal underground’s toolbelt, the software required to fight, mitigate, and detect these infections has thankfully kept pace with their continued rise in popularity.
HP found that Android, as usual, led the pack of infected handsets by several cell phone lengths, with Apple and Windows following behind in a distant second and third place. HP surmises this drastic difference in numbers between the two top competitors breaks down to simple statistics. Android makes up about 70 percent of the total mobile marketplace while Apple, though popular, only fills around 28 percent, with Windows rounding out the last two.
The malware problem is complicated by Apple’s and Google’s disinterest in allowing programmers to gain special permissions to the root structures of the code. This means that although third-party apps are capable of detecting a malware on a phone, actually doing something about it is impossible unless the device is rooted or jailbroken.
That said, according to HP the high detection rates could be enough to give customers the upper hand in this continuously evolving fight. The report states that “current anti-malware products for Android, although being rather rudimentary in terms of available technology and detection techniques compared to their Windows counterparts, are quite effective against known Android malware, with detection rates over 99 percent achievable by the majority of reputable vendors.”
While it’s unfortunate that making the problem known to the user is as far as these programs can go for now, HP thinks that an informed user is better than nothing.
Much like POS malware, “ransomware” is a term that wasn’t well known before 2014. This growing threat works by infecting a user’s computer or mobile device, and encrypting the files contained within.
After that they wake up to find their photos, documents, and data have been “locked up” behind a set of instructions stating that if they don’t pay a pre-determined fee to the hackers responsible in anywhere from 24 hours to a week, everything they hold near and dear will be deleted, never to be seen again.
Ransomware has yielded its makers a considerable amount of cash.
You may have already heard of some of the most prevalent cases including CryptoLocker, CryptoWall, and Reveton, all of which yielded their makers considerable amounts of cash from desperate people who hadn’t backed up their most important files prior to being attacked. HP says that due to their consistent profitability “ransomware threats are here to stay, and organizations must have a sound backup and restore policy in place for all business data in order to mitigate the potentially destructive effects of a successful attack.”
While the concept seems preposterous on the surface, the numbers don’t lie. HP says the conductors of these schemes have profited millions of dollars over the past year alone, and with so much money being pulled out of people’s pockets with this malicious tactic, it’s unlikely we’ll see the rate of these assaults slow down anytime soon.
Internet of Things
If there’s one area of security that HP couldn’t find a way to put a positive spin on, the Internet of Things would be it. As one of the fastest growing sectors of consumer technology over the past several years, IoT presents a whole new host of problems that current anti-virus suites aren’t prepared to deal with.
The report from HP corroborates a story we ran just last week, which declared that while the traditional anti-virus has served a vital purpose over the past two decades, its days are numbered. As we enter 2015 and beyond, new solutions will be needed as Internet connected devices like thermostats, TVs, and fridges continue to surge in popularity.
HP company lays out the problem in no unsure terms, saying “the endpoint wireless infrastructure [for IoT] is still in its infancy, and unfortunately a lack of collaboration in the industry during its development failed to create an open ecosystem that would accommodate heterogeneous devices and communication protocols.”
Only time will tell what this lack of coordination and system integration between the hundreds of different developers, programmers, and manufacturers might mean for the emergence of malware, though the outcome doesn’t look too promising. The last time so many different companies tried to jump into the same space without cooperating with each other on standards for security, we ended up with a million mobile phones being infected at a rate of thousands per day.
While much of what we gleaned from HP’s report was filled with the gloom and doom you’d expect, the company is optimistic about the chances to fight back, saying that “with increased cooperation and a thorough understanding of the imminent threats, we can continue to increase both physical and intellectual costs an attacker must spend to successfully exploit a system.”
Now more than ever before there is a range of privacy and encryption options available to the average consumer that they can use to protect themselves from the threats mentioned above. The trick is to start using that capability proactively, and learn from the mistakes of the past to create a better future for the Internet users of tomorrow.
We live in an era filled with possibilities, and if we play our cards right, maybe the the outlook for the Cyber Risk Report for 2016 will be just a little bit brighter than the year before.