Cybercriminals showed no signs of letting up last year. Although retailers didn’t report any major data breaches over the holiday season, one of the largest web companies in the world, Yahoo, discovered hackers had compromised 1 billion credentials under its purview.

What did we learn from data breaches in 2016 and how can we use that knowledge going forward?

Hackers are taking aim at the Internet of Things

Last year, we predicted that 2016 would see the first high profile security incidents involving IoT deployments. While we were talking about IoT devices as part of an attack vector for a data breach, hackers did indeed leverage hundreds of thousands of smart devices to launch a distributed denial-of-service attack on Dyn’s managed Domain Name Server infrastructure.

According to a statement from the service provider, Dyn experienced three attacks over the span of a day, the last of which its team managed to suppress. The perpetrators utilized approximately 100,000 malicious IP addresses as part of a Mirai botnet. Scott Hilton, Dyn’s executive vice president of product, confirmed that IoT devices were behind the attack.

One of the big takeaways from this attack is that hackers are capable of compromising IoT devices. If IoT devices can become tools in a broader attack, these devices can also become steppingstones for gaining access to sensitive data. Who’s to say they won’t target sensors and controllers in utilities, manufacturing plants or other industrial operations?

Credentials are not secure 

It’s a point that’s been made before, but we feel the need to hammer it home: Credentials of a single user and how that user behaves can be the weakest link in your defenses. Even if your employees use passwords more than eight characters long, a fair number of them are using credentials that are 5 years old – 47 percent, according to TeleSign.

You need to assume at least one employee credential has been stolen. Or just as likely, you need to assume that at least one employee will fall prey to a phishing or spear-phishing attack. Either incident can mean a hacker is masquerading as one of your own users, moving laterally from one application to another and stealing data. In this way a single user can be the steppingstone for a mammoth data breach.

The weaknesses of user credentials and traditional trust models have of course been part of one of the highest profile hacking matters of 2016, that of the Democratic National Committee in the US. While the debate rages over the impact of that hacking, it serves to underscore the point about major breaches starting from very small exploits.

The best way to mitigate such a threat is to contain the breach. You can do this by adopting a Zero Trust Security architecture and strategy. This simply means you assume that attackers have already likely compromised your network, users and systems. If so, then how do you mitigate the damage they can do? How do you block the post-compromise lateral movement from application to application?

Our customers have accomplished this goal by adopting a new trust model that is decoupled from the infrastructure. Instead, the Bring Your Own trust strategy realigns trust around users, credentials and keys. The result is security that you control and that keeps you safe when the firewalled perimeter fails to keep out the attackers. Learn more about adopting Zero Trust with no impact to your network or applications.