As 2017 draws to close, it’s now a good time to reflect on the year that was in cyber-security. 2017 was a landmark year in many respects, with the scale of cyber-attacks and breaches reaching new heights as organizations struggled to stay safe.
2017 will be remembered in future years for a number of key cyber-security events involving ransomware including WannaCry and NotPetya, mis-configured Amazon cloud storage disclosures, new vulnerabilities like KRACK and large mega-breaches such as Equifax.
The big security incidents of 2017, largely all had a common root cause as well, with lack of patching typically identified as a primary reason for a given data breach.
Ransomware was an issue before 2017 and was noted as a rising trend in eWEEK‘s list of cyber-security predictions for the year, back in December 2016. In 2017 ransomware caused more damage and cost more money than ever before.
On May 12, the WannaCry ransomware worm first struck organizations around the world, including hospitals in the United Kingdom, which were forced to shut down. Months after WannaCry first showed up, it was still having impact, including being responsible for a Honda Motor Company plant shutdown in June.
The root Microsoft vulnerability that helped to enable WannaCry was allegedly created by the National Security Agency and then stolen by a group known as the Shadow Brokers. For its’ part, Microsoft patched the issue in March 2017 with its MS17-010 advisory. Despite that fact, not every organization in the world actually deployed the patch, leaving them exposed to the WannaCry attack.
The NotPetya ransomware attack that emerged in June 2017 was initially thought to be more limited than WannaCry, but that didn’t turn out to be the case. NotPetya, like WannaCry could also have been prevented and mitigated by organization by deploying the MS17-010 patch. Several multi-national organization including TNT Express, Reckitt Benckiser and Maersk all reported financial impact and loses as a result of NotPetya-related service disruptions. The total losses from NotPetya, could exceed $1 billion.
While the MS17-010 vulnerability enabled both WannaCry and NotPetya, there was at least one other major vulnerability in 2017 that had significant impact.
The open-source Apache Struts framework reported a remote code execution vulnerability identified as CVE-2017-5638 on March 6. Days later, the vulnerability was already being actively exploited by attackers, even though a patch was available.
On Sept. 7, months after the original Apache Struts disclosure, credit reporting agency Equifax reported that it was the victim of a data breach impacting 145.5 million Americans. The root cause for the Equifax breach was identified by the company’s management as being the CVE-2017-5638 Struts vulnerability.
It’s still not entirely clear, why Equifax’s IT team was unable to patch the Struts issue in its system, before the company was exploited.
Though the impact of the Equifax breach was far reaching, no single breach disclosure in 2017 was larger than the one made by Yahoo on Oct. 3. Yahoo revealed that all three billion of its users were impacted by a data breach in 2013.
Yahoo had first publicly disclosed the breach in December 2016, reporting at the time that one billion users were at risk. Yahoo is no longer an independent company and as of June 13 is now owned by Verizon as part of a $4.5 billion deal.
Cloud Security Breaches
2017 was also noteworthy for the high-volume of data breaches reported directly tied to organization leaving cloud storage instances, publicly available.
Among the many different organizations that accidentally left private data in the public cloud were Verizon, the Republican National Committee and Accenture. The root cause in many of the incidents were Amazon S3 storage buckets that were not properly configured to limit access only to authorized users.
Amazon has taken multiple steps over the course of 2017 to help improve S3 security, including launching the Macie machine learning service that automatically detects when personally identifiable information is stored in S3. Amazon also has provided improved configuration options for S3 to reduce the risk of un-intentionally making private data, publicly accessible.
Among the other high-impact vulnerabilities that made headlines in 2017 were the KRACK WiFi vulnerabilities that were first disclosed on Oct. 16. KRACK is an acronym for Key Reinstallation Attacks and potentially could enable an attacker to bypass WPA2 WiFi security.
Blueborne was a set of Bluetooth vulnerabilities first disclosed on Sept. 12 that exposed nearly all operating system to potential risk. The Broadpwn vulnerability also had wide impact, potentially enabling attacker to executre code on all devices with Broadcom WiFi chips, which include all iOS and many Android devices as well.
Patches for all major operating systems are now available, for KRACK, Blueborne and Broadpwn. That said, if the experience with MS17-010 leading to WannaCry and the CVE-2017-5638 Struts vulnerability leading to the Equifax breach are any indication, not all organizations patch all vulnerabilities. Don’t be surprised to see vulnerabilities that were disclosed in 2017, leading to breaches in 2018 and beyond.
Patching was clearly an issue in 2017 as it has been in past years. As organizations look to 2018 and make plans to improve cyber-security for the new year, it is incumbent to learn from the mistakes of others, and make sure everything is properly patched.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.