David Higgins, EMEA Technical Director at CyberArk
2022has already seen multiple major cyber attacks. As companies and security experts take stock of the implications of ongoing breaches, though, it’s important to also take a step back to reflect on the lessons from last year.
In 2021, while there were a number of severe cyber attacks, such as the Colonial Pipeline attack, which dominated the media and conversations, there were many others which were overshadowed by competing news, or simply brushed aside. What’s apparent though is that many of the breaches which didn’t make the headlines deserve a second review, as most still hold key information and learnings which can assist in the fight against threat actors.
In my opinion, the three most significant cyber attacks from the last year which warrant a second look are:
Unwarranted access showed us the dark side of IoT
With billions of linked devices and a huge attack surface, the Internet of Things (IoT)poses a serious cybersecurity dilemma for enterprises.
This weakness was exploited last year when hackers broke into Verkada, a cloud-based video security service and, by using authentic admin account credentials discovered on the internet, were able to browse live feeds of over 150,000 cameras installed in factories, hospitals, classrooms, jails, and other locations. They were also able to access sensitive material belonging to Verkada software clients, illustrating just how IoT devices – like sensitive network assets – are vulnerable.
It was eventually revealed that over 100 personnel inside the company had “super admin” rights, which gave them access to thousands of client cameras – highlighting the hazards of over privileged users. Fortunately, the incident resulted in minimal damage, but things could have turned out much worse.
While this attack revealed how dangerous unprotected IoT may be, it also fuelled continuing privacy disputes about how surveillance technologies should be utilised, how sensitive data should be retained, and how access to this data should be handled.
A widespread critical infrastructure issue
Infrastructure attacks are where virtual danger meets reality – with 2021 seeing an attacker increase the sodium hydroxide content in a Florida city’s water supply by 100%.The attacker managed this by accessing applications through remote control of an operator’s station. Although the water levels were quickly rectified by vigilant staff, this incident highlights how impactful cybersecurity issues existing within critical infrastructure can be.
A lesson in least privilege access
In a different style of leak, last year attackers also went after the proprietary source code at Twitch, in a stated attempt to “encourage greater disruption and competition in the online video streaming business.” They managed to leak all of the source code for the platform, alongside 125GB of other sensitive data, including how much their top users make, which made for some dramatic headlines.
On a technical level, threat actors were able to exploit a “system configuration change that allowed improper access by an unauthorised third party.” Because Twitch operates in a dynamic cloud environment, managing all of the moving pieces is difficult, and loopholes like this are relatively common among cloud-based setups. Because of the cloud’s dynamic nature, traditional change control techniques for optimal configuration are extremely difficult.
As often happens when there is a high profile leak, Twitch suffered an immediate loss of users despite later stating the breach did not reveal passwords or banking information. Global web searches for ‘how to remove Twitch’ leapt by 733% on the day of the attack, as privacy-conscious users worked to mitigate personal damage. This incident highlighted the difficulties businesses face around cloud security, and proved the need for good privilege access management practices based on zero trust principles to minimise risk and fight both internal and external threats.
Keeping up with cyber attacks is always going to be difficult, as techniques evolve and the number of threat vectors increase – but evaluating the past can help us learn essential lessons for the future. While these three cyber-attacks may have been left in the dust, the cyber fight continues, and the better informed and well-prepared organisations are, the better their chances of winning.