It's so popular to make predictions at the end of the year. How did the security predictions of the experts for 2014 turn out?
About a year ago I wrote up some 2014 predictions I found interesting. Let's take a look at them.
- Microsoft [made] one prediction which is obviously true and deep-fried in irony: "Cybercrime that leverages unsupported software will increase." The main reason this will happen, by far, is that Windows XP and Office 2003 will become unsupported in April. Microsoft is right to end support for these products, as they have warned for many years they will.
Here, I think, is the only real surprise from a year ago. It was obvious and inevitable, once support for Windows XP and Office 2003 ended in April, that attacks on the large number of those products' remaining users would proceed in torrents. I haven't heard anything about such attacks actually occurring. This doesn't mean that pushing users off of XP was a bad idea, but perhaps those users aren't such a worthwhile target anymore.
- Kevin Watkins, chief architect and co-founder of Appthority, says that "tensions will increase between IT departments and end users as businesses move toward adopting technologies that will approve apps as they are downloaded." In other words, IT will assert more authority over what software runs on their network via mobile devices.
If there was any movement in this area in 2014 I'd say it was to institutionalize EMM (Enterprise Mobility Management) into the main mobile operating system. Apple had already done this in iOS 7 and Google added EMM based on Samsung's SAFE to Lollipop. Microsoft also improved the breadth and depth of their EMM. BlackBerry had these capabilities in BES 10 ahead of all the others.
These moves will tend, over the next few years, to give IT more control over what apps can run on managed devices, the ability to protect apps and data and the ability to constrain what apps can do. But I see no recognizable backlash against end-user empowerment.
- Fireeye's Yichong Lin says that Java zero-day exploits may be less prevalent. "Despite the comparative ease of Java exploit development, the frequent release of new Java zero-day exploits stopped after February 2013. The reason is unclear, but may be due in part to security warning pop-ups in Java 1.7 or increased attention from white-hat security researchers." It's also possible, as he suggests, that there are just fewer users running old, vulnerable versions of Java, but I find this less convincing. All in all, good news if true, although really more of a retrospective on 2013 than a prediction for 2014.
I think Lin hit the target. Clearly Java is not the mess it was a couple of years ago and I recall no disasters in 2014. The National Vulnerability Database at NIST lists some, but not a whole lot of severe JVM vulnerabilities in 2014. And I don't know how trustworthy it is, but the Java 0-day site says it has been 529 days since the last 0-day.
- Dan Caselden [also of FireEye] says that browser-based vulnerabilities may be more common. It's a bit of a cat and mouse game, but attackers are getting good at finding holes in Address Space Layout Randomization (ASLR) which, with Data Execution Prevention (DEP) is a major protection against exploit. Browser companies plug these holes as quickly as they are found, but they keep on coming. Our only hope probably lies in research on new defensive techniques, such as that promoted by Microsoft with their BlueHat awards.
Another bulls-eye for Fireeye. Not too long ago I noted that the number of browser updates in 2014, particularly of Internet Explorer updates, was immense. And this was also a year in which Microsoft experienced numerous quality control problems with updates.
Caselden is also right about the importance of defensive technologies, and remember that Microsoft provides more of these beyond what comes with Windows through the Enhanced Mitigation Experience Toolkit (EMET).
- Jason Steer [yet again of FireEye] thinks that more crimeware will destroy the operating systems (OSs) of targeted systems as a last step of an attack. "Lately, European authorities have been more successful in catching cyber gangs. A new feature in Zeus that wipes the OS could help cybercriminals clean up any evidence and avoid arrest." Ugh. Bummer.
Before Steer made this prediction there had been a small wave of such attacks and perhaps his prediction made sense. I haven't heard of this as a major trend in 2014. Have you?
- The Internet has begun to break up into national segments. Snowden's revelations have intensified the demand for rules prohibiting the use of foreign services. Individual countries are no longer willing to let a single byte of information out of their networks. These aspirations will grow ever stronger and legislative restrictions will inevitably transform into technical prohibitions...
A year ago I called this "one of the more credible dystopian predictions I've seen" and perhaps it is, but it seems less "inevitable" than it did then. Whatever the level of outrage, I don't see laws in western countries getting seriously in the way of doing business.
- Yogi Chandiramani and Tim Stahl of Fireeye argue that "[m]obile malware will further complicate the threat landscape."
It's new years and time again to predict the impending doom of mobile malware. In the last year there has been an actual explosion of mobile malware. The score: Android - tens of thousands, iOS - a couple. The Android malware is overwhelmingly (though not exclusively) on third-party app stores, not the Google Play store, and Google is probably better than the other stores about cleaning out reported malware.
I'm an Android user. I don't use any antimalware products and I don't feel unsafe because I don't go promiscuously installing apps from unknown sources. Android malware exists, but it's nowhere near the real world problem that Windows malware is, and not even as big a real-world problem as Mac malware.
- Trend Micro's 2014 security predictions: ... Two-step verification won't work anymore against MitM (man in the middle) attacks - In fact, two-step verification isn't supposed to defeat MitM attacks!
I cited this prediction in order to ridicule it. It's a classic example of dismissing a feature because it doesn't do what the product you're selling does. Each year we learn with more certainty that two-factor authentication is a security feature of immense value. It's a pain in the butt and users don't like it, but if it were widely-deployed it would mitigate many of the scary stories in the news, such as compromised password databases. 2014 just reinforced this state of affairs.
I don't get the feeling that 2014 was a particularly bad security year. Many bad things happened, but of course they would and of course they will in 2015.