It has been reported by Hold Security that a Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses. At this stage it is unknown what the attack vector was, but it is likely to be a combination of different methods including malware and app based attacks.
With such a vast amount of personal information being stolen, it is entirely possible that complete identity fraud can be carried out by the hackers, even without credit card details. Nowadays hackers actually get more value out of personal information as opposed to credit card details. In fact, one article even points out that Twitter account information is of more worth to a hacker than their credit card.
As we have seen in the news, especially with the European Central Bank Hacking, these types of attacks and the market for this information is growing and is almost becoming legitimised in some circles.
With this in mind, we have to look at what we are protecting here. Are we protecting the network or the data? It is clear that we need to protect the data and the applications that contain the data. It is not enough to just protect the network. We need to realise that we have to move our security approach to an application-centric security model. It is no longer good enough to protect the perimeter, or even the device. If the last 12 months have shown us anything, it is that these hackers are very resourceful. At the moment the applications, attacked via malware, zero day exploits and plain old application attacks, SQL injection etc, are the low hanging fruit. Until we fix this, we will see this market continue to grow.
It is also worth noting that these hackers, unless they are specifically interested in a specific company for espionage etc, will move onto a new target if their chosen one is too difficult to compromise. So in terms of protecting yourself, you only have to make your apps more difficult to compromise than your neighbours and you will be in a better position than you are today. There is no quick fix, but we need a change in how we perceive risk and what we choose to protect. Recent evidence and articles would suggest that we need to protect the applications.