Cybersecurity in 2015: What to expect
Cybersecurity recently featured on one of the world's most prominent platforms -- the annual State of the Union Address in the USA, during which President Obama declared:
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information. If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
Those seeking illegal access to online information and communications, and those attempting to safeguard it, remain locked into an ongoing arms race. Every year brings its crop of damaging hacks, brought about by an evolving arsenal of cyberattack techniques, which the security industry strives to defend with existing tools while gathering intelligence on new vulnerabilities. Users are also part of the problem, as their careless or malicious online behaviour can create exploitable opportunities for hackers, or directly result in security breaches.
Top security breaches of 2014
Here are some of the leading security breaches in the US last year, according to email and web security experts Appriver:
| Date (2014) | Company | Number of records exposed | Types of records |
25 Jan | Michael's | 2,600,000 | payment cards |
6 Feb | Home Depot | 20,000 | employee info |
14 Mar | Sally Beauty Supply | 25,000 | credit/debit card |
17 Apr | Aaron Brothers | 400,000 | payment cards |
22 Apr | Iowa State University | 48,729 | student social security numbers |
30 May | Home Depot | 30,000 | credit/debit card |
22 Jul | Goodwill Industries | 868,000 | payment systems |
18 Aug | Community Health Systems | 4,500,000 | patient data |
21 Aug | United Postal Service | 105,000 | credit/debit card |
28 Aug | JP Morgan Chase | 1,000,000 | financial information |
2 Sep | Home Depot | 56,000,000 | credit/debit card |
2 Sep | Viator/Trip Advisor | 880,000 | payment cards |
25 Sep | Central Dermatology | 76,258 | patient data |
7 Nov | Home Depot | 53,000,000 | email addresses |
10 Nov | US Postal Service | 800,000 | personal data |
18 Nov | Staples | 1,200,000 | credit/debit card |
This isn't a comprehensive list by any means, but it's clear that businesses and other organisations are regularly losing large amounts of confidential data to increasingly well-organised cybercriminals. For a neat graphical view of the history of notable data breaches, check out this interactive infographic from informationisbeautiful.net.
When a security breach occurs, the company or organisation concerned not only loses valuable and/or sensitive data, but it also suffers damage to its brand or reputation that can take a lot of time and money to repair.
The highest-profile cyberattack of 2014 was discovered towards the end of November and involved the theft of company data from Sony Pictures Entertainment (SPE) by a hacker group calling itself Guardians of Peace, or GOP. Among the claimed 100TB of data stolen from SPE was employee information (47,000 social security numbers, reportedly) and, as widely covered in the mainstream media, celebrity gossip and juicy details on the machinations of the film industry from internal emails. The SPE hack also had a political dimension, as the GOP hacker group at one point demanded that the release of The Interview, a comedy about an assassination plot against North Korean leader Kim Jong-un, be cancelled. Although the identity of the GOP remains unknown, the finger of suspicion has been pointed by the US government at North Korea, which has denied any involvement.
We may not see such a multi-faceted a hack as SPE/GOP, but we can confidently predict that 2015 will bring its share of headline-making security breaches, as well as an undiminished level of background hacking activity. Let's see why.
Security predictions for 2015
Vendors, analysts and pundits have made a tradition of issuing annual turn-of-the-year cybersecurity predictions for the coming 12 months. Although such people have a vested interest in 'talking up' the subject, there's no denying that security and privacy are now high on the agendas of businesses, organisations, individuals and governments.
So it's interesting to try and summarise the cybersecurity industry's 2015 predictions. To do so, we examined forward-looking articles from 17 organisations and assigned the resulting 130 predictions to a number of emergent categories to produce the graph below:
Heading the list are 'New attack vectors & platforms' and 'Evolution of existing cybersecurity solutions' -- two categories that illustrate the reality of the cybersecurity arms race.
In the first category, several commentators highlighted "new bugs in old, widely-used code" (Kaspersky Lab), such as Heartbleed/OpenSSL and Shellshock/Bash, while Sophos noted exploitable flaws in the IPv6 protocol, along with rootkit and bot capabilities in the UEFI rich boot environment that may generate new attack vectors. Apple was the main new platform flagged up, for example by FireEye, which noted that "Apple's increasing enterprise footprint means malware writers will adjust their toolset". Record recent sales figures can only further whet the hackers' appetite for Apple products.
A wide range of predictions fell into the number-two category ('Evolution of existing cybersecurity solutions'), including ImmuniWeb's contention that "Automated security tools and solutions will no longer be efficient" if used independently or without human intervention. Fortinet thinks that hackers will increasingly seek to evade sandboxing techniques and divert investigators by "throwing more red herrings into their attacks to thwart investigators and intentionally planting evidence that points to an unassociated attacker". Analyst IDC, meanwhile, predicts that "By 2017, 90% of an enterprise's endpoints will utilize some form of hardware protection to ensure that endpoint integrity is maintained" and that "By 2018, 25% of security applications that were previously purchased independently will be incorporated directly into business applications".
Several of the prediction categories refer to specific new attack vectors and platforms, notably the Internet of Things (within which we include everything from wearables to critical infrastructure components), mobile technology, people and social networks, big data and analytics, cloud services, retail point-of-sale and payment systems, web technology, open-source software, and third-party attacks and malvertising. This shows that the range of opportunities for hackers will continue to expand as the world becomes ever more internet-connected -- only recently, for example, a vulnerability was discovered that would allow a drone (or unmanned aerial vehicle) to be hijacked via a backdoor in its Linux-based control software.
On the IoT (ranked 3 in the graph), Websense makes the point that "Your refrigerator is not an IT threat. Industrial sensors are." That is, cybercriminals more likely to target M2M communication in automated industries like power generation and oil or gas extraction than try to "melt the butter or spoil the milk" in your smart fridge. This view is echoed by Sophos, which notes that "The gap between ICS/SCADA and real world security only grows bigger". At the other end of the IoT scale, Forrester makes the specific prediction that "A wearables health data breach will spur FTC action" in 2015 -- something that businesses looking to implement wearable-based employee wellness programs should bear in mind.
Many commentators point out that mobile platforms (ranked 4) will become increasingly attractive to hackers and cybercriminals, especially now that mobile payment systems such as Apple Pay are taking off. Websense also thinks that hackers will target mobile devices "not to simply crack a phone code and steal data from the device itself -- but as a vector into the growing data resources that the devices can freely access in the cloud".
People and social networks (ranked 9) are another increasing focus for hackers, especially when crafting targeted attacks, as Blue Coat notes: "Attack tools will increasingly leverage information from social networks to customize the attacks in a better way. Most targeted attacks have a social context, which increases efficacy and is easier to do now. Attackers will exploit their knowledge of target victims to gain access to critical systems and data".
As far as big data and analytics (ranked 13) are concerned, Varonis Systems warns of the rise of 'salami attacks': "Even when encrypted or anonymized, the vast amount of data being collected on people through social networks, credit-card transactions, security cameras and digital footprints are increasingly being pieced together into a frighteningly complete picture. This threatens not only individuals but government organizations, corporations and their business partners...In 2015, a major big data initiative somewhere will be derailed by a salami attack". On the other side of the big-data coin, Symantec predicts that "Machine learning will be a game-changer in the fight against cyber-crime".
Cloud services (ranked 14) are another cybersecurity battleground, where Varonis Systems thinks that "Cloud and IaaS companies will need to compete on how well they manage and protect data while also providing productivity-enhancing functionality to their clients...Failure to offer the same levels of access control, data protection and breadth of productivity enhancement that enterprises are accustomed to enjoying inside the walls of their own data centers will force cloud companies into service niches that exclude their clients' most vital data". IDC, meanwhile, sees security software itself moving into the cloud: "Enterprises will be utilizing security software as a service (SaaS) in a greater share of their security spending. By the end of 2015, 15% of all security will be delivered via SaaS or be hosted and by 2018 over 33% will be".
Several commentators noted the large number of high-profile attacks on retail operations (ranked 15) in 2014 -- a trend that's expected to continue in 2015: "Hackers target points of sale, ATMs" (Kaspersky Lab); "Retail breaches -- 2014 was the tip of the iceberg" (Damballa). As a result, Forrester predicts that "Retail security budgets will increase by double digits in 2015". Other new avenues of attack noted in the 2015 predictions included open-source software and vulnerable third parties such as links in the supply chain or malware-infected advertising ('malvertising').
No crystal ball is required to predict that high-profile security breaches (ranked 5) will continue to make the news in 2015 ("Prominent data leaks will keep cybersecurity in the spotlight" -- Symantec). However, Websense drew specific attention to healthcare data on the grounds that "No other single type of record contains as much Personally Identifiable Information (PII) that can be used in a multitude of follow-up attacks and various types of fraud".
Encryption and privacy (ranked 6), much in the news at the moment, came up regularly in the 2015 predictions. According to Blue Coat, encryption is a double-edged sword: "Use of encryption will continue to increase to protect consumer privacy. Malware will increasingly hide behind encryption to evade detection by most enterprises that are struggling to balance employee privacy with attacks hiding behind encryption". Sophos, meanwhile, picked up on the political angle: "With growing awareness of security and privacy concerns due to revelations of intelligence agency spying and newsworthy data breaches, encryption is finally becoming more of a default. Certain organizations like law enforcement and intelligence agencies are unhappy about it, under the belief that it will adversely impact safety".
Several predictions coalesce around regulation, compliance and cyberinsurance (ranked 7). On the subject of security breach notification laws, Varonis Systems highlights a mid-Atlantic divide: "Data will be more secure in the EU [thanks to proposed Data Protection Regulation], but what will happen in the US?". This underlies Neohapsis's prediction that "a US firm will be implicated in a significant breach of EU data". The prospect of "multimillion dollar fines and suits" following customer breaches leads Forrester to predict that "$100 million cyberinsurance policies will become the norm", a sentiment echoed by FireEye.
The evolution of organisations' security strategies (ranked 8) occupies several commentators. FireEye thinks that "Fewer organisations will run their own security operations centre (SOC)" and that businesses should "Shift from a peacetime to a wartime mindset", while cybersecurity's increasing profile leads to IDC's prediction that "By 2018, fully 75% of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, not the CIO".
Intelligence on, and prevention of, advanced 'stealth' attacks (ranked 10) were naturally flagged up by FireEye and Damballa -- two companies that specialise in solutions in this area. FireEye thinks that corporations will "stop paying for AV" and "shift spend to advanced detection, response and forensics", while Damballa noted that organisations invested in "threat detection and response" in the latter half of 2014 and expects this trend to continue in 2015.
State-sponsored and politically motivated attacks (ranked 11) are mentioned by several commentators: "New cyber-war players take a seat at the table" (Websense); "The rise of espionageware" (Blue Coat); "Cyber espionage attacks will continue to increase in frequency" (McAfee); "Politically motivated attackers will target private citizens" (Neohapsis). Websense notes that cyberwarfare/terrorism will increasingly be conducted by "loosely affiliated 'cells'...independent from, but in support of, nation-state causes".
Ransomware (ranked 12), where money is extorted in exchange for releasing some restriction (such as data encryption) on an infected system, is predicted to increase in scope and frequency: "Ransomware will aim higher and cost more (Blue Coat); "Ransomware expansion" (Lancope); "Scammers will continue to run profitable ransomware scams" (Symantec); "Ransomware will evolve its methods of propagation, encryption, and targets" (McAfee).
The remaining prediction categories concerned biometrics and multi-factor authentication, cybercrime and cybersecurity skills -- the latter, surprisingly, being mentioned only once, by Sophos ("Global skills gap continues to increase, with incident response and education a key focus").
2014 surveys and annual reports
There has been a flood of surveys, white papers and annual reports on cybersecurity-related topics published in 2014. There's not the space to cover these here, but here's a selective 'further reading' list if you're interested in diving deeper:
| Publisher | Title |
Appriver | |
Cisco | |
CyberEdge Group | |
Damballa/Ponemon | |
EY | Global Information Security Survey 2014: Get Ahead of Cybercrime |
Forrester | |
HP/Ponemon | |
Lumension/Ponemon | |
Radware | |
SafeNet/Ponemon | The Challenges of Cloud Information Governance: A Global Data Security Study |
Symantec | |
Tripwire/Atomic |
Outlook
One thing about cybersecurity is certain: it's no longer sufficient for organisations simply to guard the network perimeter with a firewall and install antivirus software on endpoints. CSOs and CISOs need to continually monitor the evolving threat landscape, and to replace an "if we get hacked" mindset with a "when we get hacked" one.
Organisations' social, mobile, big-data, cloud and other digital-transformation strategies inevitably expose them to new kinds of cyberattacks, which will continually test the current cybersecurity toolkit -- firewalls, antivirus software, VPNs, intrusion detection/protection systems, advanced threat defences and so on. If these aren't up to the job, investment will be required in new defences, skilled staff to operate them and cyberinsurance policies should these measures fail.
If nothing else, cybersecurity's increasingly high profile should give CSOs and CISOs plenty of ammunition when arguing their case in the boardroom.