What lies in wait: security threats in 2015
2015 is the thirtieth anniversary of two significant cybersecurity publications: The Hackers Handbook in the UK, and Phrack Magazine in the US. Both were considered seminal publications in cybersecurity, providing detailed instructions for penetrating and manipulating computer systems when the first edition of Microsoft Windows was only just rolling off the shelves.
Since then, the computing world has expanded beyond all recognition, and the cyberthreat landscape has changed with it. We asked several cybersecurity experts what they thought the critical cybersecurity trends would be like in the coming year.
1. enterprise extortion attacks will rise
2014 was bookended by a big, nasty attack on Sony. The firm was hacked and threatened with data exposure if demands were not met. Expect more of the same in 2015, warns Jason Wood, a principal security consultant at cybersecurity security consulting firm Secure Ideas.
Consumers have endured ransomware attacks for years, in which attackers blackmail them to get their maliciously encrypted data back. Prepare to see enterprise-scale extortion attacks on the rise, warns Wood.
“Destruction of resources on a large scale has happened a few times now, and may become a more frequent issue. Bad guys may actually be able to get some money out of holding an organization's data and systems hostage.”
2. two-factor authentication (2FA) will become mainstream
The era of passwords isn’t dead, but alternative mechanisms will hit the mainstream in 2015, experts suggest. “We have to see a shift away from passwords. You just have to look at LinkedIn and the compromise that happened,” warns Jamal Elmellas, technical director of IT security consulting firm Auriga, referring to a massive data 2012 data breach in which 6.5 million stolen LinkedIn passwords were posted online.
Poor password management meant that at least 60% of the hashed passwords were cracked in days. “Someone accesses a database somewhere, and encryption and hashing is weak. Someone gains access to lots of passwords, and guess what? We’re all human beings, and we all use the same passwords.”
There are alternatives emerging, argues John Pescatore, director of emerging security trends at the SANS Institute. Until now, users have hated anything other than reusable passwords, he explains.
“That’s reached the tipping point, where people are saying ‘rather than having to change my credit card numbers all over again, I’m willing to sign up for Google Authentication, where it sends me a text message’,” he says.
This is already finding its way into consumer applications, and now he thinks that it will find its way into the enterprise, too. At a recent SANS healthcare security summit, several healthcare firms announced trials of two-step verification via phones.
3. M2M will become an attack vector
It isn’t just passwords and data that will be compromised, warns Dr Aditya Sood, author of Targeted Cyber Attacks. Stand by for everything for the Internet’s connected sensors to become major attack vectors, too.
“Hot targets will include the abuse and exploitation of Internet-of-Things (IoT) to launch attacks through digital appliances or gadgets,” he says, arguing that this will make it harder to gather useful data for analysis and attribution.
Supervisory control and data acquisition (SCADA) will also be high value targets, due to the critical operations that they represent, warns Sood. Just recently, Admiral Michael Rogers of US Cyber Command and director of the National Security Agency said a handful of countries have the capability to mount cyberattacks to shut down part of the electrical grid in the US.
4. software will need to be verified
We can expect to see a greater focus on finding vulnerabilities in widely-used software, and the provability of software security will become more urgent, experts suggested.
2014 saw Heartbleed and Shellshock, a devastating collection of bugs in widely-used open source software that underpinned much of the Internet. Sood said that attackers will spend 2015 targeting critical software that is deployed at large scale in various places on the Internet. “This will be a trend, because detecting a security issue in critical software will have a mass impact on the Internet,” he said.
This and other factors will lead to the fleshing out of security verifications for software in the coming year. With companies suspecting backdoors in software and firmware, we can expect to see more pressure on verifying software as loophole-free.
“One trend that we’ll see is that all software vendors will start having to prove why someone should trust their software, and why it doesn’t have back doors built in. This is already happening,” Pescatore asserts. For example, Chinese software vendor NSFocus contracted Veracode, which checks third-party applications for vulnerabilities, to prove that its software was safe.
5. mobile hacking will be a target
Watch out for smartphone botnets that will be almost entirely Android-based, warns Sood. “Botnets will be developed or resurfaced both for mobile devices and standard computed systems,” he says. “Android mobile devices will be a favorite attack target for the attackers next year because of ease of exploitation and exfiltration of data.”
Another mobile target will be mobile connectivity devices, warns Pescatore. Mobile wireless access points designed to connect several Wi-Fi-enabled devices to mobile networks will become a critical attack vector in 2015, he suggests, as they become tools for people to circumvent enterprise firewalls.
“People can get around URL filters that block them from doing certain things, so now, all of a sudden you have a rogue Wi-Fi access point that doesn’t even exit through the firewall,” he says. “The scenario I’m really worried about is some cloud datacenter admin who says ‘if I leave my Mi-Fi adaptor in the datacenter then I could administer my server remotely over the weekend’.”
How best to protect against all of these threats? As always, a healthy combination of end-user education, up to date technology, and proper security processes will provide a layered defense. Adopting security at the heart of organizational processes, rather than as an afterthought, is even more important. Cyberprotection has to become part of an organization’s DNA, rather than merely a cosmetic addition.