It’s a new year and time to look back at the year that was in cyberattacks.
Perhaps the biggest story of the year is a non-story: the fact that we’re still talking about the same types of breaches we have for a few years now. This proves that prevention measures are not yet sufficient and that eCommerce and hospitality websites are still lucrative targets. These sites’ large pools of clients mean the financial gain from breaching even a single site can be very rewarding.
For their part, banks have become better at acting to mitigate the direct pecuniary impact of these breaches for their customers, and are shutting off exposed credit cards faster than ever. Such vigilance, however, only serves to increase the economic incentive for attackers to continue to look for new sites to breach, and does nothing to prevent or minimize the personally identifiable information (PII) that becomes available to the black market communities.
Flavor of the (year?)
The general types of attacks that continue to be problematic for eCommerce businesses are D/DoS, brute force attacks, SQLi, directory traversal, and account hijacking. A relatively new entry into the attack types is malvertising, where 3rd party advertising software inadvertently injects malware into an otherwise legitimate site. (Forbes was recently subject to a high profile attack of this type when they forced users to turn off ad blocking software to access the site).
The risk with malvertisement attacks is that they are hard to track down, since advertisements are generally handled by third parties. They exploit the name recognition and trust built up between the brand name of the site displaying the ads and the user; this increases the chance that the user will lower their guard. It also damages the brand of the site when malvertisement is discovered.
The low cost of D/DoS attacks and malvertisements (relative to the potential reward) means that we can expect these types of attack to continue for as long as it is economically viable.
What’s in a trend?
According to Hackmageddon, 2015 marked a persistent increase of cyberattacks over 2015, with the notable exception of October where attacks had a small decrease over last year. From this we can determine that while certain attack vectors may change, organized crime syndicates continue to realize profits from cybercrime with relatively little downside, so from the criminals’ perspective there is little incentive to stop. That attacks are becoming more sophisticated and cheaper to execute through distributed computing, coupled with the relatively low risk of being apprehended by law enforcement, will only embolden criminals until the general public begins to place a higher priority on security.
The only way to combat dedicated attackers is with a comprehensive security plan and properly configured logging tools that enable visibility into your site traffic. For our part, we at Yottaa leverage our Traffic Analytics platform to generate real time visibility into traffic to client sites and offer tools to mitigate the traffic right from the dashboard. Our team of support engineers proactively monitors our client sites for suspicious traffic and notifies clients if any as found, as well as provides potential mitigation techniques.
I’ll part with the thought that maybe the critical mass has been reached; after such devastating breaches recently maybe this will be the year that layered defenses across the major web industries strengthen to the point that the economics cease to work for some of the more common attack vectors and techniques. Great as that would be, we must suggest bracing for another year of headline-making attacks.