Will more "historical" data breaches be revealed in 2017 and beyond? Data breach expert Troy Hunt is optimistic that such revelations will become rare as large businesses operating online improve security.
This year, however, has seen a long list of so-called "historical" mega-breaches coming to light several years after the attacks took place and attackers began cashing out stolen information. Dropbox, LinkedIn, MySpace and Yahoo were among the breached organizations that initially either failed to realize they'd been hacked - or failed to realize the extent of the breach.
Since then, many of those big organizations have overhauled their security and especially password-handling processes. Hunt says it's tough to imagine that there are many large websites left that, for example, have suffered a data breach that will only come to light in another four or five years.
A Bigger Concern
What does concern Hunt, however, are the security practices of smaller and mid-size organizations, which may remain oblivious to the risks they face by not devoting sufficient time and resources to information security.
For these smaller organizations that don't have hundreds of millions of records to protect, sufficient security spending remains challenging. "It's going to be harder for them to justify the spend to protect themselves," Hunt says in an interview with Information Security Media Group.
At the same time, however, many such organizations continue to rely on poorly secured databases and custom-built applications, as well as outdated online forum software with known vulnerabilities. These have been regularly targeted by hackers seeking individuals' personally identifiable information that they can sell on underground cybercrime markets.
In this interview (see audio link below photo), Hunt also discusses:
- What this year's historical mega-breach revelations portend for the future;
- The never-ending battle against credential reuse;
- The challenges involved in using multistep verification, for example, via SMS, and multifactor systems, such as Authy.
Hunt runs the free Have I Been Pwned? breach notification service. He's also an author for tech learning site Pluralsight and a Microsoft regional director and "most valued professional" specializing in online security and cloud development. Hunt, a frequent speaker at conferences around the world, also runs workshops focusing on how to build more secure software within organizations. He previously served in a variety of technology architecture roles at Pfizer and was a technical leader for ICE Interactive and a senior developer at Proxicom.