One of the many signs that the year is drawing to a close is the appearance of predictions for the coming 12 months by security vendors and analysts. In a year that saw major stories such as the Snowden revelations and Adobe's massive data breach, the current state of organisations' cyberdefences, and experts' views on what they're likely to face in the future, are more pertinent than ever.
The current state of organisations' cyberdefences is the subject of a recent study by risk analysis firm BitSight, which evaluated security ratings for over 70 Fortune 200 companies in four industries — finance, retail, energy and technology. BitSight's ratings are based on 'big data' analysis of observed security incidents, including communication with known command-and-control servers, spam propagation and malware distribution. The study's headline findings are summarised in this chart:
The finance industry's leadership in security effectiveness reflects its position as a major target for cybercriminals, but the technology sector's consistently low ranking is something of a surprise — although it's amply demonstrated by the aforementioned Adobe breach. Also noticeable is an across-the-board dip in security effectiveness in April/May 2013, which BitSight attributes to a significant increase in new attacks at that time. So much for last year: but how is the arms race between the black hats and the white hats likely to develop in 2014?
2014 cybersecurity predictions
We've collated the 2014 cybersecurity predictions from seven vendors — FireEye, Fortinet, Lancope, Neohapsis, Symantec, Websense and Zscaler. Here's what the crystal-ball-gazers are saying in these organisations:
- Sophisticated threat actors will continue to hide behind traditional mass-market crimeware tools to make identification and attribution hard for network defenders
- More attack binaries will use stolen or valid code signatures
- Mobile malware will further complicate the threat landscape
- Java zero-day exploits may be less prevalent
- Browser-based vulnerabilities may be more common
- Malware authors will adopt stealthier techniques for command-and-control (CnC) communications
- Watering-hole attacks and social media targeting will increasingly supplant spear-phishing emails
- More malware will fill the supply chain. Expect more malicious code in BIOS and firmware updates
- New heap-spray techniques will emerge because of Adobe Flash's 'click to play' mitigation (requiring user interaction to execute potentially malicious Flash content)
- Attackers will find more ways to defeat automated (sandbox) analysis systems, such as triggering on reboots, mouse clicks, applications closing and so on
- More crimeware will destroy the operating systems (OSs) of targeted systems as a last step of an attack
- More 'digital quartermasters' behind targeted attack campaigns. In other words, Sunshop DQ is only the beginning
- With increasing collaboration between targeted organizations around the globe, we will see cybercrime gangs identified and shut down, thanks to clues that tie separate attacks to common campaigns and threat actors
- Cybercrime gets personal
- We expect the time to detect advanced malware to increase
- Android Malware Expands to Industrial Control Systems, and Internet of Things
- Encryption Won't Change, but Use of Encryption Will Increase
- FBI in Conjunction with Global Cyber Security Agencies to Shut Down Botnet Operators
- The Battle for the Deep Web
- New Exploits Target Off-Net Devices to Penetrate Corporate Resources
- Network Security Vendors Forced to Become More Transparent
- More Botnets Will Migrate From Traditional Command and Control (CnC) Servers to Peer-to-Peer (P2P) Networks
- More Botnets Will Cross Breed with Other Botnets
- Increase in attacks targeting Windows XP
- Biometrics for authentication will increase
- Incident response finally matures to a business process
- Software-Defined Networking (SDN) and the adaptive perimeter
- Increase in two-factor authentication
- The 'Internet of Everything' requires the 'Security of Everything'
- Physical authenticity weakens with 3D printing
- Tracking devices
- We'll see a cyberwar redux
- The cloud will begin to show its unseen costs
- Privacy will continue to lose out to opposing parties in US Legislature
- The Internet governance battle will continue
- DDoS will get sneaky
- Encryption technologies will undergo increased scrutiny
- A foreign power or organized cybercrime group will have breached a mid-sized or municipal utility for a long period
- Legacy problems will escalate
- People will finally begin taking active steps to keep their information private
- Scammers, data collectors and cybercriminals will not ignore any social network, no matter how 'niche' or obscure
- The 'Internet of Things' becomes the 'Internet of Vulnerabilities'
- Mobile apps will prove that you can like yourself too much
- Advanced malware volume will decrease
- A major data-destruction attack will happen
- Attackers will be more interested in cloud data than your network
- Redkit, Neutrino and other exploit kits will struggle for power
- Java will remain highly exploitable and highly exploited — with expanded repercussions
- Attackers will increasingly lure executives and compromise organizations via professional social networks
- Cybercriminals will target the weakest links in the 'data-exchange chain'
- Mistakes will be made in 'offensive' security due to misattribution of an attack's source
- What's in a Name? The Importance of DNS
- The Tangled Web: SSL Encryption
- BYOD Represents the Weakest Link
- MPLS Goes Hybrid Cloud: Network-Delivered Security
- Attacks on the Internet of Things
In order to extract some pattern from the 50-plus predictions listed above, we assigned them to various categories and graphed their frequency:
Top of the list, with seven related predictions, is one of 2013's favourite buzz-phrases: the Internet of Things, or IoT. If 2013 was the year that the idea of the IoT (and many practical applications) went mainstream, then 2014 is likely to be the year when the security implications of equipping all manner of 'things' — from domestic refrigerators to key components of critical national infrastructure — with sensors and internet connections begin to hit home.
The next most populous categories, each with five predictions, are 'cyberdefence evasion' and 'network architecture', which take us into the heart of the arms race between the bad guys and the good guys. New cyberdefence evasion techniques flagged up by the experts include the use of stolen or valid code signatures to hide malware, and the development of ways to defeat automated 'sandbox' malware analysis systems. Meanwhile, network architecture-related predictions for 2014 include attacks on organisations' cloud-based data and the use of software-defined networking (SDN) to deliver "an adaptive perimeter or intelligence-based enclaves that are dynamic and both serving to the business needs as well as defensive against advanced threats" (Lancope).
The next four categories each have four predictions, and cover the use of crimeware toolkits such as Blackhole and its successors, more co-operation and collaboration among targeted organisations and cyberdefence agencies, the rise of mobile malware (particularly for the Android OS) and attacks based on social engineering or the use of social media.
Looking down the list of predictions, it's quite clear that today's threat landscape is becoming more of a threat vista, encompassing an increasing range of potential vulnerabilities and demanding an appropriately sophisticated response by those charged with cyberdefence — whether at the family, organisation or national level. The days of setting and forgetting a firewall and some antivirus software are well and truly over.