2016 Cyber Security Year in Review

Andy Hull / December 30, 2016
2016 Cyber Security Year in Review

2016 had so many things going on. It certainly was an interesting year. In cyber security, we saw these top 5 activities in the news: 

  1. Phishing and drive-by malicious web pages dominated malware distribution 

  2. Mobile malware on the rise and is now a meaningful threat to corporate information 

  3. Ransomware was prolific 

  4. Stolen password/account databases were exposed regularly 

  5. Data theft from insider accounts with authorized access to sensitive data more prevalent 

  6. Distributed Denial of Service (DDoS) attacks using weaknesses in IoT devices 

From an HBS security practice perspective, we continue to see more of the same.  While new threats are evolving all the time, we find that many organizations still don’t have some of the basics covered.  The top 10 issues found this year during security assessments that HBS conducted consisted of: 

  1. Weak passwords and account privileges 

  2. Weak patching for both operating system and applications 

  3. Application issues caused by weak coding practices (Cross Site Scripting, SQL Injection, etc.) 

  4. Inadequate logging and auditing to monitor, detect and respond to attacks 

  5. Weak encryption practices 

  6. Weak outbound data and activity monitoring and blocking 

  7. Inadequate security policies, standards, and procedures 

  8. Limited capabilities to identify all devices and applications on the network 

  9. Inadequate security personnel staffing and training 

  10. Inadequate workforce security awareness training programs 

Our customers face so many challenges when it comes to investing in and maintaining information security.  While a cliché, the first step truly is admitting, or at least being open to the idea, that you might have a problem.  When it comes to security, you should be thinking trust and verify.  It’s OK to hope for the best, but plan for the worst.  The best way to do that is to; 

  1. Document your controls and educate your workforce on why and how they are needed in your quest to protect company and customer information.  This includes people, process, and technology-based controls used to detect and protect you from security related events. 

  2. Review the security controls you believe to be in place to make sure they are working as designed.  Control reviews are ongoing and should be performed a regular and scheduled basis. 

  3. Compare your controls with best practices.  There are several frameworks out there to guide you, based on your industry or legal obligations.  Heartlands security practice can help point you in the right direction, if needed. 

  4. Involve senior business leadership in information security decisions.  After all, security is a business requirement, not an IT requirement.  Minimally, you should conduct an annual meeting with leadership and/or board members.  This meeting should be used communicate strengths and gaps of the security program, so that the appropriate decisions can be made balance the need for security with the other business needs. 

Andy Hull
About the Author


Andrew Hull
Information Security Officer

Andrew has over 25 years of information technology and security experience. While he has specialized in the, Financial, Healthcare, and CPG verticals, he has both the breadth and depth of experience needed to provide end-to-end security solutions to nearly any size company in any industry.  He is a strong leader who has led, developed, and managed technology and security teams, strategy, planning, and testing for several organizations.  Andrew has helped many companies design and implement the necessary security controls, policies and governance structures, as well as tactically manage threats, vulnerabilities, and incidents.

Comments
Blog post currently doesn't have any comments.