The Gmail phishing scam, Android malware outbreak and WannaCry ransomware incident helped cybersecurity failures dominate headlines throughout the month of May.
Millions of devices were infected and millions of people began to see the true scope of destruction caused by cyber threats. Two weeks after the WannaCry outbreak, I interviewed Jason Lundy, senior vice president of strategic operations at Cyber adAPT, to discuss the prevalence of attacks like these.
He was surprised to see the amount of attention the stories were getting in the news but didn’t really consider the attacks very surprising. According to Lundy, these threats aren’t really anything new.
“So many people have jumped on the bandwagon so quickly, I’ve even got my dad phoning me about it,” he said “People don’t understand how common this is. There’s vulnerabilities way beyond this that could have much more impact from a criticality perspective.”
WannaCry was one of the largest malware incidents on record and hit more than 300,000 computers in May. Despite the scope of the attack, this was not an isolated incident.
More than 4,000 ransomware attacks still happened each day during 2016. In May about 36 million people were informed their Android device was infected by the popular mobile game “Judy.” And that massive Gmail phishing scam targeted up to one billion users.
While the increased press has raised the discussion of cybersecurity to everyday conversation, the frenzy has caused just as much of a problem as a solution.
“We’ve deliberately decided we’re not going down the route of doing outbound campaigning that says, ‘oh we can fix this.’”
Even though they can. Lundy explained there’s no point in emphasizing a solution to one vulnerability because users won’t understand the scope of protection necessary to secure devices and networks.
People should be focusing on creating a well-rounded, ever-evolving security solution. Companies don’t know they’re putting the security of their business, their employees and their customers in jeopardy.
“Organizations should be doing their due diligence around patching software that’s vulnerable,” Lundy said. “That was a known vulnerability, it’s not new. I think this is just the tip of the iceberg, and I think you’re going to be seeing more of this.”
May seems to be a month packed to the brim with large-scale attacks. But these new issues shouldn’t push existing troubles aside. DDoS attacks are still capable of shutting down large portions of the internet, and the layman’s internet security culture hasn’t changed much if the Gmail attack is any evidence.
“If someone has your social security number, they can do a lot more than max out your credit card.”
Some of the largest threats, however, aren’t from viruses on suspicious websites or a suspicious ATM. Industries like healthcare are often more concerned with treating patients and organizing processes than they are with securing patient information.
“Healthcare organizations are easy targets. The data out there is very rich in terms of black market realization. If you steal [protected health information] data, you can market that data over and over and get significant money from that.
“It’s not like stealing credit card details where typically it’s the bank that tells me, they cancel it on my behalf then I get a new one. If my social security number is stolen, that’s a different ballgame. There’s much larger ramifications and the data’s worth 10, 20 times that. It makes them [an] easy and rich target environment.”
If someone has your social security number, they can do a lot more than max out your credit card.
Thieves can open new bank accounts and credit cards, never pay them back and destroy your credit. They can use healthcare on your behalf, altering your record and running up fees. They could easily file bogus tax returns and get you audited. They could even pretend to be you if they were arrested for a crime, skip bail and, as a result, get you arrested.
And it’s not just healthcare providers that are targets. Any organization you’ve given your SS number or other sensitive information is a high-risk target.
Those organizations aren’t usually putting you at risk on purpose, but their practices might be.
“From time to time, things like this are going to pop up because organizations can’t patch software in the right manner. Some of this is based on bandwidth and resources versus having perfect hygiene around security ops. Some of it is laziness, some of it is legacy where companies don’t have the resources, the time, or the money or the budget.”
These issues are all over the place. Companies that let users bring their own laptops and phones onto a network may be easily accessed if software isn’t updated. Sharing network details with less-secured companies and customers can be a huge risk as well.
Businesses should do all they can to secure and update every endpoint accessing their network. Anything less creates an enormous risk with endless potential consequences.
“Last week, [I] spoke to a special ops guy at the airport in Dallas who was on his way to Bahrain,” Lundy said. “He’s been a bomb disposal expert for 15 years. He has four workstations in [the] office he works out of and this memo comes out saying, ‘We’re going to update workstations,’ and they can update two machines. He said, ‘But I’ve got more than two.’ They just say, ‘We don’t have the budget to do more than two machines, so just try to not use those other ones.’”
Lundy said this instantly becomes a massive vulnerability for the top-secret, clearance-required information the bomb disposal expert has access to. The unpatched software is basically a beacon calling hackers to infiltrate your system. Once they find the devices that aren’t securely updated, they can access the endpoint even when it’s not in use.
“It’s insane, but that’s the world we live in and that’s why you see things like WannaCry.”
Read up on cybersecurity and protect yourself. Visit our cybersecurity software categories and learn how to protect the information your business needs. And subscribe to our weekly Security Digest to get the biggest news from around the web.