We actually already released next year’s security predictions last week. You can read our press release about them (which includes a shortened version of the predictions) or check out this cool and succinct infographic. In fact, you can even watch a recording of my one-hour prediction presentation. However, for the folks who prefer to read, I’ve gone ahead and posted the longer version of my predictions below.
Also, we decided to do things a bit differently this year. As security professionals we spend a lot of our time looking for trouble and expecting the worse. And in 2014, there were lots of vulnerabilities and threats to be found such as Heartbleed, Regin and Operation Cleaver. However, rather than just focusing on which threat trends you should worry about the most, we thought it might be useful to also share some over-hyped trends, which may not affect you. Hence, five predictions you need to prepare for in 2015, and five you don’t.
Top Five Things NOT to Worry About:
- The Internet of Everything Will NOT Bring a Rise of Machines: Lately, information security (infosec) pundits, myself included, have warned the world about the dangers posed by the thousands of embedded computing devices popping up in stores, which we call the Internet of Things (IoT) or the Internet of Everything (IoE). Things like watches, cameras, Smart TVs, and much more, don’t look like computers, but they are, and we connect them to the same networks as our computers.
As a result, these devices can have the same potential security flaws as traditional computers, and we will see researchers find and demonstrate these flaws. That said, we won’t see malicious cyber criminals hacking these IoT devices at a large scale in 2015. Today’s cyber criminals typically don’t just hack for the heck of it—they need motive. There’s not much value to having control of your Smart watch or TV, so we won’t see hackers targeting them directly… yet. However, these IoT devices do increase the amount of ways we share data with the cloud. Though attackers probably won’t target the IoT next year, they will go after all the personally identifying information (PII) that our computing devices spew into the cloud.
- Cloud Adoption Will NOT Continue its Stratospheric Climb in 2015: Security pundits have always been a bit suspicious and slow to adopt certain cloud services, especially when the service requires you to share sensitive data with an external cloud vendor, or give up some control. Despite this, businesses have quickly and widely adopted many cloud services, presumable because they offer so much business advantage. For instance, web hosting and email have become services many companies choose to host elsewhere.
However, this cloud adoption will slow and plateau in 2015. Snowden has made the world aware that nation states intercept information from cloud services, and incidents like “The fappening” prove that the things we share with “the cloud” can leak. Between the “Snowden effect” and a number of popular cloud services leaking data, organizations will be more concerned with where they put certain sensitive information. This doesn’t mean businesses will stop using the cloud where it makes sense. It just proves that we can’t put everything in the cloud. Administrators should consider security controls that help in this hybrid environment; controls that help them manage their network perimeter alongside of their cloud resources.
- Passwords Will NOT Die in 2015, or 2016, or 2017…: Over the past few years, the industry has suffered a number of password-related security incidents; both attackers stealing them en masse, and hackers hijacking high profile accounts. These incidents often illustrate that common folk still use bad passwords and that our reset mechanisms are weak. As a result, many in the industry have predicted passwords will die.
There’re two faults with this logic; first, they overlook the core cause of the issue and, second, we haven’t found a viable alternative. When bulk password thefts happen, the passwords aren’t at fault; rather the fault lies with that lack of security of the organization maintaining them. Furthermore, we haven’t found a perfect replacement for passwords. Biometrics are neat, but fingerprints can get stolen too, and once they are, you can’t ever change them. A better prediction for next year is two factor authentication will become ubiquitous online, and passwords will remain as one of the two factors.
- Secure Design Will NOT Win over Innovation: It’s easy to love new technology and gadgets and the innovations they introduce to our lives, making things easier and more delightful. However, humanity’s known for notoriously diving head first into innovation technology without considering the potential consequences. More specifically, security is usually the last thing on our minds when we innovate. This means the newest, most innovative technologies often arrive rife with vulnerability.
This won’t change in 2015. In order to invent, and push boundaries, we must take risks. That means security will continue to take a back seat to innovation. That doesn’t mean innovation is a bad thing. We should welcome technologies that make our lives easier. However, it does mean that you, as a security professional, have the tough job of weighing the operational benefits of new technologies against their potential security risks. While infosec professionals cannot afford to become a roadblock against innovation, we also can’t let insecurity creep into our networks under the guise of “good” business.
- SDN Will Have Security Implications, But NOT For Years: If you follow technology analysts or keep up with bleeding edge networking, you’ve probably heard all the excitement around the next great networking innovation—Software Defined Networking (SDN). Without going into detail, SDN basically does for networking what hypervisors did for computing… it virtualizes it. At the highest level, SDN is a new network architecture paradigm where the control plane is decoupled from the data place. Rather than letting proprietary networking hardware making fairly static traffic routing decisions that apply equally for all traffic, SDN allows controllers to make dynamic routing decisions that can differ based on the applications sending the traffic, the location of the device, and many other things. SDN will help networking catch up with the dynamic, mobile, cloudy world we live in.
SDN totally changes how we build and control networks, which means it will also completely changes network security. For instance, in an SDN world, network security controls don’t have to be inline. The SDN controller can forward certain traffic to the relevant security controls when necessary—no matter where that security control happens to be on the network. This could make mobile security much easier, but also places much of the network security onus on the SDN controller and proper policy.
Having said all that, our prediction is you won’t have to worry about SDN security next year, or anytime soon! Despite all the hyperbole and excitement from forward-leaning technologists, SDN is quite a ways from primetime adoption. While ISP and cloud providers might start experimenting with it, the average organization is nowhere near changing their network architecture to support it. Think of it like IPv6. We’ve been predicting IPv6 has been coming for years, and one day everyone will have to start using it, yet most organizations still haven’t adopted it. SDN is the next IPv6, so don’t lose sleep over securing it yet.
Top Five Things To Worry About:
- Nation States Lock ‘n Load for Cyber Cold War: All significant nations have long started developing their red team and blue team cyber defense and attack capabilities. Between incidents in Estonia and Georgia, Snowden’s revelations, Stuxnet, Regin, and many other incidents, we’ve already learned that nation states are quietly launching espionage campaigns against one another, and even stealing industrial intellectual property.
I expect to see many more nation state cyber espionage incidents next year and suspect we are already in the middle of a cyber cold war, where nation states quietly “demonstrate” their cyber capabilities. While this cyber posturing doesn’t directly affect the average citizen or business, the techniques nation states use are more sophisticated. Whenever these new campaigns surface (and they do), criminal hackers learn quite a bit from them. You should expect the nation state cyber attacks to ”raise the tide for all boats” and elevate the complexity of criminal attacks as well.
- Malware Jumps Platforms from Desktop to Mobile Devices – And Bites Hard: More and more malware has been designed to infect multiple systems. Traditionally, we’ve seen small samples of Java attacks and malware that infect both Windows and OSX computers, but an even better combination is malware that jumps from traditional operating systems to mobile platforms, or vice versa. In 2015, WatchGuard expects to see more malware samples like WireLurker, which infects your normal computer before jumping to the mobile devices that you plug into it. The cross-platform malware families could be in a better position to steal banking credentials, especially as more users adopt two-factor authentication with SMS messages to a mobile.
On top of that, attackers will find many new ways to monetize mobile infections, so expect mobile malware to have more teeth in 2015. For instance, after its success on traditional computers, expect to see customized mobile ransomware, designed to make you mobile unusable until you pay up. With the adoption of Apple Pay, we also expect to see more attackers targeting mobile wallets and NFC. You don’t want to shirk on mobile security in 2015.
- Encryption Skyrockets – As Do Government Attempts to Break It: Security pros have always recommended encryption to protect data. However, both users and the industry have historically been slow to adopt encryption on a wide scale—likely due to its complexity and resource expense. That is changing. Between Snowden’s revelations and an increase in breaches, we realize “bad actors” are snooping on our communications, and our privacy is at risk.
As a result, our use of encryption, especially HTTPS, has skyrocketed in 2014 and will continue to grow quickly in 2015. Meanwhile, government actors, like the director of the FBI, are petitioning for ways to break our encryption for “law enforcement use.” As an industry, security pros must do three things; continue to leverage encryption whenever possible; fight for the right to retain private, unbreakable encryption; and make sure to build networks that can support heavy use of encryption without slowing bandwidth and adversely affecting business.
In a related aside, attackers will also leverage encryption more in 2015, to help their attacks evade our detection. While there is no perfect way to defend against custom encryption, you should consider security technologies that can recognize attacks in HTTPS traffic, and can keep with up with the new volume of encrypted traffic on our networks.
- Business Verticals Become New Battleground for Targeted Attacks: There’s always been a mild debate between opportunistic and targeted attacks, and whether one or the other poses the bigger threat. One might say opportunistic attacks are more threatening because they affect everyone and happen at a large scale, whereas another points out targeted attacks tend to be more sophisticated and result in more damaging losses. While both threats pose risk, and can affect everyone, some new trends will tip the favor toward targeted threats next year, while also expanding the affected target base.
Targeted attacks have increased and become more sophisticated largely due to the fact that cyber criminals have matured. They realize writing malware costs something and that they need a return in that investment. They’ve also learned three, sometimes-competing, lessons:
- The more widespread your attack, the quicker it gets detected.
- It’s easier to monetize certain stolen data, so the type of victim matters
- The more victims you can attack at once, the larger your return in investment.
How does a cyber criminal retain the benefits of a stealthy targeted attack, while still pursuing big victim-pools to make lots of money? They do so by targeting business verticals rather than individual organizations. We’ve already seen this begin to happen, with criminals targeting retailers, hotel chains, or game companies as verticals. They’ve even designed custom malware for some verticals (e.g. point-of-sale malware). This trend will continue into 2015, with attackers targeting other verticals, such as financial services, and healthcare. You also won’t have to be a Fortune 500 to become a target. Modern cyber criminals will target businesses of every size, as long as they are part of an interesting, profitable business vertical.
- Understanding Hacker Motives Key to Defending: Information security is a relatively new field and is evolving quickly. Until now, security pros have focused mostly on the “how” and “what” aspects of the cyber threat. For instance, we previously paid most attention to the technical ins and outs of how bad guys attacked our networks, or how their malware mechanically worked, and we created our defenses based on those technical understandings.
However, as our field matures we’re learning how important it is to understand the “who” part of the equation as well. The threat actors menacing us have changed greatly in the past decade. They’ve gone from curious and mischievous kids exploring, to cyber activists pushing a message, to organized criminals stealing billions in digital assets, to nation states launching long-term espionage campaigns. Each of these threat actors has different goals, different tactics, and different targets, and there’s even significant nuance among like groups of threat actors.
As defenders, we’re starting to realize that our adversaries’ motives matter greatly in how we defend ourselves. Few organizations have the resources to defend against every possible threat. However, knowing the motives and tactics of various actors helps us understand which ones threaten our organization the most, and how they prefer to attack. In 2015, smart organizations will use threat intelligence and adversary motive to better customize defenses for the type of threat actor most likely to target their organization. For instance, if you work for a restaurant chain, you’re probably most concerned with organized cyber criminals, and might want to tailor your defenses to the attack techniques and PoS malware used by Russian and Ukrainian cyber gangs.
I hope you’ve enjoyed and learned something from this year’s InfoSec predictions. If you want to learn more, download the infographic or watch my 2015 Security Predictions presentation. — Corey Nachreiner, CISSP (@SecAdept)