Looking Back: Security and Compliance Milestones in 2016

January 9th, 2017   /     /   security and compliance

The start of the year is always a time to reflect on the past 12 months and discuss trends for the future. 2016 was quite a year for cybersecurity. If it were a war, there would be many songs of battles lost and not many of battles won. But such is the nature of cybersecurity.


Security Milestones

In that spirit, OneLogin continued to invest in our security and privacy programs, rolling out several initiatives to strengthen our defenses for 2017 and beyond.

Bug Bounty Programs

Private bug bounty programs took off in 2016. Even the U.S. government launched their own program. OneLogin test drove a time-boxed bug bounty program in 2015 and fully committed to it in 2016.

Bug bounty programs shouldn’t replace other efforts like third party pen testing or application and network scans. Instead, they should augment these and other efforts to discover vulnerabilities before malicious actors do. 2017 will see more public and private bug bounty program announcements. These programs are becoming the norm rather than the exception. Companies like Bugcrowd and HackerOne enable companies of any size to implement one.

Anti-Phishing Initiatives

Phishing and ransomware dominated headlines for most of 2016. Spear phishing was especially successful in harvesting W2s, initiating fraudulent bank transfers, and potentially influencing the recent US  elections.

OneLogin launched technical and non-technical initiatives to mitigate spear phishing risks. On the technical side we use solution that closely monitors phishing campaigns as they start developing out in the wild, then proactively blocks or tags potential phishing attacks before they arrive in our inboxes.

On the non-technical side, we run internal phishing campaigns followed by employee education sessions that analyze the attack and equip our personnel with the knowledge they need to mitigate real attacks. This latter piece of our anti-phishing strategy has provided the most traction for us. If you’d like to implement these at your company, there are many vendors and open source solutions. In 2017, I hope to see more dollars invested in cybersecurity awareness than technical anti-phishing solutions, even though companies will invest in both.

Preparing for DDoS Attacks

DDoS attacks reached new heights in 2016. DDoS-as-a-Service. The largest DDoS attack on record occurred. IoT botnet-driven DDoS attacks took center stage late in 2016, after the successful Mirai botnet attack on DNS service provider Dyn that impacted many companies and millions of Internet users. When the attack occurred, OneLogin already had in place an improved DNS architecture architecture designed to mitigate DDoS attacks targeting DNS, so our service was not significantly impacted. Nevertheless, we still felt this attack’s effect, since it impacted several services we use.

Ironically, the Dyn attack happened during US National Cyber Security Awareness Month, a time when companies communicate tips to their personnel to improve cybersecurity knowledge and bolster defenses. This includes following best practices like changing default IoT device passwords, which is a simple way of depleting the Mirai botnet of offensive resources. Clearly, much work remains to be done. Cyber security awareness is important, not just in October and not just in the workplace, but throughout the year and across all aspects of our digital lives.

The World relies heavily on the public cloud for our work and personal lives, so DDoS attacks will continue to impact us in 2017. As with other types of attacks, both sides will strive to improve their offensive and defensive capabilities, and there will be wins and losses.

Shifting from Prevention to Detection

If 2016 did not convince you that it’s not “whether” you’ll be hacked but “when”, 2017 certainly will. One 2016 trend was an increase in the disclosure of attacks by both the public and private sector. This trend will grow as organizations realize that it’s better to be transparent about a breach than to attempt to hide it.

The first step is to know whether you have been compromised. We discussed earlier in 2016 about the need to shift resources from prevention to detection. We rolled out tools similar to those discussed in that blog post throughout 2016 and continue to test additional detection solutions. You need to “know what you don’t know”, which is, where can attacks succeed or have succeeded already.


Compliance Milestones

On the compliance front, we improved how we measure our security and privacy programs.

Aligning with ISO Standards

In 2015 we aligned our controls to ISO 27017 and ISO 27018 standards. In 2016, we took the next step by adding them to our ISO 27001 audit, to get third party confirmation that we meet the requirements. Our audit was successful, and provided actionable feedback that we will use to improve our security and privacy programs further.

US Privacy Shield Program

The US Privacy Shield programlaunched August 1. Since we are early adopters when it comes to compliance, we finished our self-certification efforts about a month after program launch. Our certification was finally approved by the program on January 4, 2017.

General Data Protection Regulation

GDPR is on everyone’s radar now even though it won’t take effect until 2018. But that will arrive in the blink of an eye. Our previous efforts to comply with the EU Data Directive, Generally Accepted Privacy Principles, ISO 27018, Safe Harbor, and US Privacy Shield means we already meet many GDPR requirements, but we are working on a few things to be fully compliant by the end of Q1 2017.

As we move into 2017, OneLogin will continue to be vigilant for developing security threats and be proactive with strategies to combat them. To learn more about the security and compliance benefits that OneLogin can offer your business, contact us here.

About the Author

Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Forbes, the Atlantic, Bloomberg BNA, Dark Reading, Network World, Infosecurity, eWeek, HRPS, ThreatPost, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

View all posts by Alvaro Hoyos