There are lots of terms bandied around at this time of year that try to tie up the previous 12 months’ events into a neat package. In the security space, 2014 has been branded ‘the year of the breach’ or ‘the year of encryption’ – but perhaps, to better emulate the Chinese zodiac, ‘year of the Poodle’ would be more fitting.
Social engineering, targeted malware, mobile security flaws, ransomware, cyber-espionage, breaches in the public cloud… the list of threats that either developed or escalated in 2014 is endless. Major vulnerabilities such as Shellshock and Heartbleed in established software components were among the biggest headlines. Then there were wide-scale data breaches at the likes of JPMorgan, UPS and Neiman Marcus, raising significant questions about businesses’ preparedness for cyber-attack, the increasing ingenuity of criminal hackers, and the massive implications of human error.
As well as being the season of good will, it is also customary at this time of year for industry insiders to offer their predictions for the year ahead. This is the first of a multi-part feature that looks at the various messages coming out of the cyber-security world relating to 2015’s threats, challenges and developments. This first part rounds up the industry’s insight into the persistence of existing issues that show no signs of diminishing in the year ahead.
Inside Job
A recent ICO report found that 32% of data breaches are caused by employee error or negligence – the recent Vodafone data leak being a good example. Commentators from across the industry seem to suggest that the ‘insider threat’ is a persistent problem that won’t abate in 2015.
Canon’s director of information security, Quentyn Taylor, certainly takes this view, but explains that, “Insider threats are not necessarily the result of rogue employees driven by malicious intent. Any employee with a device that stores information can be at risk of inadvertently compromising data security.”
Varonis VP David Gibson concurs: “Much attention is paid to the role of cyber-criminals… the far more common threat begins with well-intentioned employees.” In addition, he argues that “the failure of companies to create and enforce a least-privilege model for confidential or sensitive data will lead to a highly publicized breach and loss of critical data [in 2015].”
“Much attention is paid to the role of cyber-criminals… the far more common threat begins with well-intentioned employees”David Gibson, VP, Varonis
Also arguing that insider threats will persist as the primary cause of breaches, officials at virtualization security service provider HyTrust predict that “access controls, role-based monitoring and the ‘two-man rule’ will become key requirements in the cloud.”
Breaking the Bank
Point-of-sale (PoS) systems and other financial transaction platforms have been a major source of attack in 2014, evidenced most famously in the continued fallout from the Target breach. This is another trend that isn’t going to go away in the next 12 months, argues Lancope’s director of security research Tom Cross: “We continue to hear about infections at large retailers. Criminals have a proven, repeatable process here that is extremely lucrative.”
But breaches of this kind are not a problem unique to the US. Symantec threat researcher Candid Wüeest suggests that though “the chip and PIN system in Europe makes it harder to obtain consumers’ payment card information… chip and PIN cards are also susceptible to being used for fraudulent online purchases. Also, there is a possibility of hackers exploiting individual NFC cards in one-off attacks.”
Attack Source
Without question, vulnerabilities in open-source software have been a major theme in 2014, and plenty of commentators expect more weaknesses to be exploited in old source code in 2015. Experts from Websense Security Labs comment that “the pace of software development demands that new applications are built on open source. Next year, attackers will successfully exploit seemingly divergent application software through vulnerabilities in the old source code that these applications share.”
Rapid 7 chief research officer HD Moore agrees the industry should plan for another year in which vulnerabilities in open source libraries and system components result in major disruption and possible data loss. “The ‘big bugs’ of 2014 were not in Microsoft products for once. The issues that keep ‘breaking the internet’ are endemic flaws in open source software that really should be better by now.”
“The ‘big bugs’ of 2014 were not in Microsoft products for once. The issues that keep ‘breaking the internet’ are endemic flaws in open source software"HD Moore, chief research officer, Rapid 7
Further disclosures related to 2014’s high profile vulnerabilities will emerge next year, argues Lancope’s Tom Cross: “This year's vulnerabilities… don't fit the mold of typical memory management vulnerabilities. They were lurking in production codebases for many years before they were discovered. Those factors will motivate researchers to look for similar bugs in other places.”
Mission Critical
Attacks on critical national infrastructure are among the most significant stories that hit the headlines in the past 12 months. Symantec’s Orla Cox commented that “State-sponsored cyber-espionage and cyber-sabotage campaigns, like we saw with DragonFly and Turla will continue to pose a risk to national and critical infrastructure and intellectual property in 2015.”
Indeed, nearly 70% of critical infrastructure companies suffered a security breach over the last year, according to a Unisys survey. Checkpoint’s UK MD Keith Bird believes that “Cyber attacks on public utilities and key industrial processes will continue, using malware to target SCADA systems. As control systems become increasingly connected, this will extend the attacks vectors that have already been exploited by well-known malware agents such as Stuxnet, Flame and Gauss."
Part 2 of Infosecurity’s 2015 predictions feature focuses on the emergence and escalation of threats facing the industry