Most IT security specialists shed no tears as the curtain lowered on 2014. It was a dark year, with massive data breaches, unprecedented malware, and attacks on systems thought to be secure. Now that we have officially moved well into 2015, it’s important to take stock of the lessons the IT help desk can take into the future.
1. Goto Fail: IT Can Learn That One Line of Bad Code Could Be Ruinous
Finally, Apple plugged the hole that disallowed the Goto Fail attack to further cause mêlée among iPods, iPhones, and iPads for months. The bug in Apple’s devices allowed attackers to reroute searches in an infected device to any website of their choosing, including sites where malware, phishing, and other nefarious activities were taking place. As it so happens, one single line of code in the Apple software made these attacks possible. What is the take away for IT? Every line of code matters.
2. Thumb Drive Malware: IT Can Learn That Firmware Can Be Compromised
In July 2014, reports began circulating that the firmware of thumb drives could be infected with malware, in turn infecting computers in which the drives were used without the user even being aware. The takeaway for IT is that firmware is no longer to be automatically trusted, nor are the devices. This should add credence to the arguments of any IT professional who is trying to convey concerns about BOYD policies to management.
3. Heartbleed: IT Can Learn That Updates are Crucial for Security
Heartbleed was recognized and addressed rather quickly, yet security experts expect that this malware will be around for quite some time. Why? Because many IT departments and individual users still haven’t updated their systems and antivirus software to a version later than the release of Heartbleed. The takeaway for the help desk is that updates are important. This includes updates for operating systems as well as malware prevention software.
4. Shellshock/Mayhem: IT Can Learn That Even Linux Isn’t Immune
As attacks on the most prevalent operating system Windows became profuse, many switched to Linux environments, as Linux is much less frequently targeted for such attacks. In fact, many Linux users got quite cocky about their invulnerability as their Windows counterparts fell victim to attack after attack. But in 2014, attacks on Linux systems increased from fewer than one attack per year to more than three notable attacks in a single year. The worst of these was Shellshock (sometimes referred to as Mayhem), which proved that even the invincible Linux systems were, indeed, susceptible to malware. Even in a Linux environment, the time for running systems without malware protection, robust firewalls, and other protections has come to an end.
5. The Sony Smearfest: IT Can Learn That No Business is Immune
In case you were trapped under a rock, Sony was hit by a massive attack which resulted in tons of sensitive information being stolen from their systems and splashed across the Internet like pool water after a cannonball competition. What does this teach? No system is immune. IT is used to hackers going after big data sets that can yield lucrative consumer information, as well as certain companies targeted in the name of activism, such as environmentalists going after oil companies. The Sony hack proved that any business can gain some enemies, even when your main gig is entertaining folks.
6. Data Breaches Galore: IT Can Learn That Data Security is More Important Than Device Security
It would almost be easier to list the top companies that didn’t have some type of data breach in 2014: eBay, Michael’s, and several notable government agencies (on both the federal and state levels) fell victim to data breaches. What do these incidents teach the help desk? It might be advisable to focus more on securing data than securing devices. Since the firmware and operating systems IT depends on to keep systems secure are obviously not as impervious as once thought, it might be time to shift focus onto making sure that even if devices or systems are breached, the data remains impenetrable.