Security in 2014: What are the experts predicting?
At the end of every year security writers get lots of pitches from vendors for stories about their security predictions for the next year. This year I received an even dozen pitches. Here are the good (The Interesting), the bad (The Bogus), and the ugly (in this case The Obvious - move on, nothing to see here).
The Interesting — When I finally looked carefully at all the predictions I got from vendors I was impressed with more than I expected. There is both good and bad news in here.
Here's one I hadn't considered before: Lancope's CTO Tim (TK) Keanini argues that the rise of Software-Defined Networking (SDN) will make network threat monitoring much more effective. There are already plenty of good reasons for a large, complex enterprise to move towards SDN; it facilitates the most efficient utilization of network resources and dovetails well with virtualization at the process and storage levels.
The basic security idea is intelligent agents on the network can more effectively see what's happening, identify and scrutinize, and perhaps isolate, suspicious activity.
SDN isn't new in 2014 nor, it seems, is this idea of it having security benefits. But it's a reasonable bet that there will be significant innovation and product development in this area in 2014.
Kevin Watkins, chief architect and co-founder of Appthority, says that "tensions will increase between IT departments and end users as businesses move toward adopting technologies that will approve apps as they are downloaded." In other words, IT will assert more authority over what software runs on their network via mobile devices.
The capability to do this has been there for a long time, and in some markets (mostly Financial, I believe) strict control is maintained. Remember, there are still many, many BlackBerries out in the real world, and that's mostly because of the security and control that IT has (especially with BES10).
But Watkins sees a broader move towards what I can only call responsible management. "Regulatory standards in healthcare, finance and government around private data and mobile apps may make it so that IT departments will have to enforce security measures on employees' mobile devices, rather than simply setting policy and informing employees of their company's mobile security policies. Thus, there will be more real-time evaluation and approval of apps on BYOD and company-issued devices."
I think that in most cases, IT departments would want to have this authority, and not because they like telling other people what to do with their devices. It's because they are responsible for the security of the systems and data, and to ensure that security they need more authority than they have typically been granted. Maybe 2014 will turn the tide.
Fireeye made 15 predictions, one of which achieves some infamy below. But I thought three of their predictions were both intriguing and credible.
Fireeye's Yichong Lin says that Java zero-day exploits may be less prevalent. "Despite the comparative ease of Java exploit development, the frequent release of new Java zero-day exploits stopped after February 2013. The reason is unclear, but may be due in part to security warning pop-ups in Java 1.7 or increased attention from white-hat security researchers." It's also possible, as he suggests, that there are just fewer users running old, vulnerable versions of Java, but I find this less convincing. All in all, good news if true, although really more of a retrospective on 2013 than a prediction for 2014.
Dan Caselden says that browser-based vulnerabilities may be more common. It's a bit of a cat and mouse game, but attackers are getting good at finding holes in Address Space Layout Randomization (ASLR) which, with Data Execution Prevention (DEP) is a major protection against exploit. Browser companies plug these holes as quickly as they are found, but they keep on coming. Our only hope probably lies in research on new defensive techniques, such as that promoted by Microsoft with their BlueHat awards.
Finally, Jason Steer thinks that more crimeware will destroy the operating systems (OSs) of targeted systems as a last step of an attack. "Lately, European authorities have been more successful in catching cyber gangs. A new feature in Zeus that wipes the OS could help cybercriminals clean up any evidence and avoid arrest." Ugh. Bummer.
Kaspersky experts have a number of interesting predictions. Alex Gostev, Kaspersky's Chief Security Expert, goes long:
The Internet has begun to break up into national segments. Snowden's revelations have intensified the demand for rules prohibiting the use of foreign services. Individual countries are no longer willing to let a single byte of information out of their networks. These aspirations will grow ever stronger and legislative restrictions will inevitably transform into technical prohibitions. The next step will most likely be attempts to limit foreign access to data inside a country. As this trend develops further it may lead at some point to the collapse of the current Internet, which will break into dozens of national networks. The shadowy Darknet then will be the only truly world-wide web.
I can see a movement in this direction getting started. It can't happen all in 2014. It's one of the more credible dystopian predictions I've seen. Another interesting and credible Kaspersky prediction: "...there is evidence to suggest that in 2014 Bitcoin will collapse, resulting in losses for those who possess the crypto-currency."
The Bogus — Full-of-it predictions aren't really all that common, although they definitely happen. For many, many years in the 1990's and into the next millennium, some tech experts predicted that the next year would be the year of the Linux desktop. It never happened (although some would argue that Android, based as it is on Linux, is the face-saving realization of this prediction.) The security version of this evergreen prediction is first in my Bogus list.
Yogi Chandiramani and Tim Stahl of Fireeye argue that "[m]obile malware will further complicate the threat landscape."
A claim that this will be the year of mobile malware was, for many years, a standard boilerplate item on security vendor predictions. While there is clearly a whole lot of malware for Android, and a whole lot of security software to fight it, it hasn't exactly complicated the landscape yet. And on more tightly-controlled platforms, like iOS and Windows Phone, malware is a non-issue. And still the large majority of Android malware does disturbing, but stupid stuff like make toll calls, rather than things which are truly threatening to an enterprise.
But Chandiramani and Stahl think that we'll "see blended threat between desktop and mobile gaining access to mobile-based authentication (such as SMS confirmation numbers). Because cybercriminals go where the clicks are, expect to see a continued focus on attacking these devices." Perhaps this will happen in some very high-value targeted attacks, but in the big picture cybercriminals also don't want to put a lot of effort into things.
Mobile malware may actually be a real-world problem, but I'll believe it when I see some data that actually demonstrates it. In the meantime, for years I've asked vendors for such data and nobody has even pretended to have any.
Trend Micro's 2014 security predictions have high production values, but I'm not impressed with the content. Here in the Bogus section, I'll focus on one: Two-step verification won't work anymore against MitM (man in the middle) attacks — In fact, two-step verification isn't supposed to defeat MitM attacks! It's supposed to strengthen authentication of users on endpoints. The sort of attack alluded to by Trend Micro involves resident malware already running on the system which tricks the user into entering their secret second factor. This malware, of course, running locally on the computer could also log keystrokes and do other things which 2-step authentication isn't designed to thwart. It's the technological equivalent of someone looking over your shoulder as you log in. But if your password is part of a large, compromised database — undoubtedly a real-world problem — 2-step verification will stop outsiders from getting to your account.
The Obvious — Stating things which are obviously true and always have been is a staple of security prediction. Straw men are a popular technique in such predictions. When Webroot predicts "Increasingly-sophisticated obfuscation techniques" and "Increasingly-sophisticated packing techniques" they are predicting for next year what has happened every year in recent memory.
Just about every prediction Trend Micro makes for 2014, other than the bogus one above, falls into the obvious category.
"Cybercriminals will level up via targeted attack methods." "One major data breach will occur each month." "Bad actors will use Deep Web [Tor, etc.] to drag law enforcers into a global struggle." These are all in the category of "tell me something I don't already know and which hasn't been happening already for a while.
Trend was far from alone in making such empty predictions, but theirs may have been the most densely obvious.
Most of Microsoft's predictions were mildly interesting, but not quite up to the level necessary for this column. Microsoft did make one prediction which is obviously true and deep-fried in irony: "Cybercrime that leverages unsupported software will increase." The main reason this will happen, by far, is that Windows XP and Office 2003 will become unsupported in April. Microsoft is right to end support for these products, as they have warned for many years they will. As with kids, at some point you have to let go.
There will, however, be many millions of users who stay on these products, and every exploit henceforth developed for them will remain. I have already predicted that black hat exploit writers (the kind who sell to the NSA) are saving up exploits for Windows XP and Office 2003 and the price of new ones will be high after April.