Well, 2014 is fast drawing to its end. And that means one thing: the onset of “predictions” season. Just as we’re inclined to look backward in December, at the events that transpired in the previous 11 months, we also look ahead: gazing into the crystal ball to try to predict - and maybe even prepare for - what lies ahead.
This behavior is as common in the security world as anywhere else, which is why December is given to all manner of security “predictions” for the year ahead. Looking at some of them, I’ve noticed a common theme: more of the same.
Reading through lists of 2015 predictions from some noted security experts that have landed in my inbox in recent weeks, the similarities among them are surprising. Most note the obvious: that 2014 will be remembered as the “Year of The Data Breach”™. It started with Target Stores - a hack that broke in Q4 2013, but spilled over into the New Year: sinking Target’s holiday season and costing the company’s CEO his job. But that was just the beginning. As the year rolled on, Target gave way to Michael’s Stores, Home Depot, Staples, DQ, Jimmy John’s and on and on. Just in the last few weeks there have been more: Bebe Stores and - of course - Sony Pictures Entertainment. And those are just the high-profile breaches. The Identity Theft Resource Center notes 744 data breaches in 2014 as of December 16, with more than 81 million records exposed.
2014 data breaches by category, from the Identity Theft Resource Center Data Breach Report
And most expect that pattern to continue. PandaLabs, an anti-malware company, forecasts continued attacks on Point of Sale (PoS) systems - the culprit in the attacks on Target, Home Depot and other retail outfits. Josh Bressers, the team lead for Red Hat Product Security had the same assessment: predicting even more “major breaches and named incidents” in 2015 than in 2014. “This trend will continue to increase for the foreseeable future,” he wrote. And Vijay Basani, the CEO of EiQ Networks said that retail attacks will continue their pace despite the push to adopt EMV technology in the second half of 2015. Other notable trends in 2014 are also predicted to persist in the New Year: the prevalence of “advanced” and “persistent” attacks, the preference for encrypting malware like Cryptolocker and continued focus on (criminal) data theft over other kinds of malicious acts like denial of service attacks or defacement.
Of course, simply extending the trend lines you can already see out into the future is the easiest kind of prediction there is - how much of a chance are you taking by saying that things in the future will be pretty much the same as they are today — just different (worse?) in some subtle way. One question is: are there indications of change now that might meaningfully bend the curve of colossal data breaches and destructive hacks? I think there are.
For one thing: executives at companies across the economy looked hard at what happened at Target et al and have certainly moved data protection up a few notches on their “to do” list. As early as Q2 of 2014, I and others who follow security were hearing references to new “Target budgets” for security spending. That is: what we plan to spend on information security plus whatever we need to spend so that we don’t end up like Target. Most of the security firms I’m talking to - endpoint and otherwise - are having their best Q4 ever. The question for 2015 is: what does your “Sony budget” look like compared to your “Target budget?” My guess is that it’s bigger!
We’re also seeing something of a tipping point on a couple nagging security issues that have been left unaddressed for too long. They are: the need for more pervasive use of encryption to secure Internet communications and the need to abandon single-factor authentication (aka “passwords”).
On the first issue, many observers note that the push for end-to-end data encryption was already picking up steam - even before the hack of Sony Pictures Entertainment provided an object lesson on the dangers of leaving sensitive corporate data unencrypted. Companies like Apple and Google are already pushing the idea of end-to-end encryption. Apple introduced strong, hardware based encryption of its latest iPhone mobile devices - causing consternation among law enforcement. For its part, Google is floating the idea of explicitly warning users about any web site that does not used secure HTTP (HTTPS) to protect web traffic in transit.
On the second issue, the drum beat of news about the role that targeted spearphishing attacks and credential theft play in many high profile breaches is pushing companies to look for additional protections for employees who need to access even low-level corporate data and assets. At the end of the day: it’s difficult - if not impossible - to prevent everyone from falling prey to sophisticated social engineering attacks. In fact, just this week there is news that ICANN - the Internet Corporation for Assigned Names and Numbers - was compromised in a targeted phishing attack that harvested user credentials for ICANN employees.
Two-factor authentication that requires an additional “factor” like a mobile device or one-time passcode is already available on consumer services like Gmail, Twitter and Facebook, as well as high value online services like banking and brokerage sites. Counter-intuitively, however, many enterprises have yet to adopt the technology to protect access to their sensitive data. Expect that to change in 2015, as companies finally accept that - when it comes to targeted phishing attacks - they are helpless in the face of hapless users and a sophisticated, well-prepared adversary.
See you in the New Year - when all these predictions will be revealed to be correct! :-)
About Paul Roberts
Related ArticlesDBIR: Attackers Want To Steal Your Manufacturing Secrets
The threats of intellectual property theft and industrial espionage weigh heavily on manufacturers, according to this year’s Data Breach Investigations Report from Verizon.Brazil's Data Protection Law, LGPD, Is Imminent
In an abrupt reverse course, Brazil's data protection law won't be bumped to 2021 by COVID-19; instead it will go into effect over the next few days.Friday Five: 2/16 Edition
Data protection jobs, Bitcoin phishing, and Amazon S3 leaks -- catch up on the week's infosec news with this roundup!