As 2017 draws to close, it’s a good time to reflect on the year that was in cyber-security. In many respects, this was a landmark year for cyber-security, with the scale of attacks and breaches reaching new heights as organizations struggled to stay safe.
A number of key cyber-security events took place in 2017—involving ransomware, including WannaCry and NotPetya; misconfigured Amazon cloud storage disclosures; new vulnerabilities such as KRACK; and mega-breaches such as the Equifax attack.
Many of those big cyber-security incidents had a common root cause: the lack of patching.
Ransomware a year ago was noted as a rising trend in eWEEK‘s list of cyber-security predictions for 2017. This year, ransomware caused more damage and cost more money than ever before.
On May 12, the WannaCry ransomware worm first struck organizations around the world, including hospitals in the United Kingdom, which were forced to shut down. Months after WannaCry first showed up, it was still having an impact and was responsible for a Honda Motor plant shutdown in June.
The root Microsoft vulnerability that helped to enable WannaCry was allegedly created by the National Security Agency and then stolen by a group known as the Shadow Brokers. For its part, Microsoft patched the issue in March with its MS17-010 advisory. However, not every organization in the world deployed the patch and so were left exposed to the WannaCry attack.
The NotPetya ransomware attack that emerged in June was initially thought to be more limited than WannaCry, but that didn’t turn out to be the case. Like WannaCry, there was also a patch for NotPetya that, if applied by organizations, could have mitigated the damage from the ransomware. A number of multinational organizations, including TNT Express, Reckitt Benckiser and Maersk, reported financial losses as a result of NotPetya-related service disruptions. The total losses from NotPetya could exceed $1 billion.
The MS17-010 vulnerability that enabled both WannaCry and NotPetya wasn’t the only major flaw in 2017 that had a significant impact.
The open-source Apache Struts framework reported a remote code execution vulnerability identified as CVE-2017-5638 on March 6. Days later, the vulnerability was already being actively exploited by attackers, even though a patch was available.
On Sept. 7, months after the original Apache Struts disclosure, credit reporting agency Equifax reported that it was the victim of a data breach impacting 145.5 million Americans. The root cause for the Equifax breach was identified by the company’s management as being the CVE-2017-5638 Struts vulnerability.
It’s still not known why Equifax’s IT team was unable to patch the Struts issue in its system before the company was exploited.
Although the impact of the Equifax breach was far reaching, no single breach disclosure in 2017 was larger than the one made by Yahoo on Oct. 3. On that date, Yahoo revealed that a data breach impacted all 3 billion of its users in 2013.
Yahoo had first publicly disclosed the breach in December 2016, reporting at the time that 1 billion users were at risk. Yahoo is no longer an independent company and, as of June 13, is now owned by Verizon as part of a $4.5 billion deal.
Cloud Security Breaches
This year was also noteworthy for the high volume of data breaches directly tied to organizations leaving cloud storage instances publicly available.
Among the many different organizations that accidentally left private data in the public cloud were Verizon, the Republican National Committee and Accenture. The root cause in many of the incidents was Amazon S3 storage buckets that were not properly configured to limit access only to authorized users.
Amazon has taken multiple steps over the course of 2017 to improve S3 security, including launching the Macie machine learning service that automatically detects when personally identifiable information is stored in S3. Amazon also is providing improved configuration options for S3 to reduce the risk of unintentionally making private data publicly accessible.
Among the other high-impact vulnerabilities that made headlines in 2017 were the KRACK WiFi vulnerabilities that were disclosed on Oct. 16. KRACK is an acronym for Key Reinstallation Attacks and could enable an attacker to bypass WPA2 WiFi security.
Blueborne is a set of Bluetooth vulnerabilities first disclosed on Sept. 12 that exposed nearly all operating systems to risk. The Broadpwn vulnerability also had a wide impact, enabling attackers to execute code on all devices with Broadcom WiFi chips, which include all iOS and many Android devices.
Patches for all major operating systems are now available for KRACK, Blueborne and Broadpwn. That said, if the experiences with MS17-010 leading to WannaCry and the CVE-2017-5638 Struts vulnerability leading to the Equifax breach are any indication, not all organizations patch all vulnerabilities. Don’t be surprised to see vulnerabilities that were disclosed in 2017 still leading to breaches in 2018 and beyond.
Patching was clearly an issue in 2017, as it has been in past years. As organizations make plans to improve cyber-security for the new year, it is incumbent they learn from the mistakes of others and make sure everything is properly patched.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.