Credit: darkuncle via Flickr
Not a week went by in 2015 without a major data breach, significant attack campaign, or serious vulnerability report. Many of the incidents were the result of disabled security controls, implementation errors, or other basic security mistakes, highlighting how far organizations have to go in nailing down IT security basics.
But looking beyond the garden-variety attacks and vulnerabilities lends great insight into the future of malicious activity and how to defend against it. And 2015 had its share of intriguing invasions, each of which highlighted the modified techniques that lead to new forms of breaches or pinpoint areas in need of new defenses. The past year saw cyber criminals adopting innovative approaches and state-sponsored actors becoming bolder. Motivations shifted, with financial gain no longer the sole reason for launching an attack. Inflicting physical damage, stealing trade secrets, hacking as a form of protest -- 2015 was a year in which malicious activity served many ends.
The increasingly interconnected world means bad guys can cause a lot of damage; more important, many malicious actors now have the skills and means to carry out chilling attacks. Below is a roundup of some of the most significant incidents of the past year, each of which pushes the overall security conversation further, showing new paths and needs for defense. Which ones did we miss?
Bitcoin under barrage
Bitcoin -- and the idea of crypto currency in general -- captured mainstream attention this year, in part because of nefarious actors who used the platform as cover for payment. Ransomware gangs have demanded payment in bitcoins before unlocking victims’ files and folders, and blackmailers have demanded bitcoins in exchange for not launching DDoS attacks against websites. But bitcoin made security headlines several times in 2015 for a different reason: Thieves kept stealing bitcoins ... lots of them.
European exchange Bitstamp suspended trading after discovering one of its operational bitcoin storage wallets was compromised in early January. The exchange is believed to be the world’s third busiest and handles approximately 6 percent of all bitcoin transactions. About 19,000 bitcoins, or roughly $5 million, were stolen at the time. That wasn’t the only bitcoin attack, as China-based exchange BTER reported in February that 7,170 bitcoins, or roughly $1.75 million, were stolen from its cold wallet system. Thieves stole 10.235 BTC, or roughly $2,500, from bitcoin startup Purse in October.
Consider it a twist on the traditional bank heist: Instead of looting bank accounts, exchanges are raided. In addition to showing there is real financial value associated with the virtual currency, the thefts highlighted the need “for an internationally recognized security standard” for bitcoin, said Florindo Gallicchio, director of information security in the Optiv Office of the CISO. In February, the Cryptocurrency Certification Consortium (C4) proposed 10 standardized rules for the creation, storage, audit, and use of bitcoins, as part of the Cryptocurrency Security Standard (CCSS).
Sign up for CIO Asia eNewsletters.