As 2014 comes to a close, it is time to cast our 2015 IT security predictions and look back at our 2014 predictions to see what we got right, what we got wrong, and what surprised us, writes TK Keanini, pictured, CTO of Lancope.
I made three predictions late in 2013 about the evolution of security defenses for 2014. The first was that incident response would finally mature to the level of other first-class business processes. The second was an increase in the implementation and adoption of two-factor authentication, and the third and final prediction was the use of Software Defined Networking (SDN) to defend against the most advanced attacks. I think two of the three predictions were correct, with the SDN prediction being somewhat accurate but not culminating in the full adoption that I had anticipated. Out of necessity, service providers were knee deep in SDN in 2014, but large enterprise adoption is more likely in 2015.
Incident response
Incidents in 2014 affected everyone. Businesses and individuals alike were scrambling to put together an effective incident response plan because no one was spared from the threats. This was unfortunate but necessary for the adoption of incident response plans, as businesses and humans do not change their behavior until they are impacted at an emotional level. These events in 2014 will drive stronger incident response readiness in 2015, which is great news. However, it will also cause the attackers to innovate as we all continue to co-evolve in this security spiral.
Two-factor authentication
As I predicted, more services online implemented two-factor authentication in 2014, and more two-factor technology vendors have emerged, making implementation, administration and maintenance much simpler. The site https://twofactorauth.org/ tracks the services across many industries that have implemented two-factor authentication, and offers a button for going on Twitter and nagging the services that have yet to implement two-factor. On this site you will also find a list of two-factor authentication providers, which has more than doubled in 2014.
This leaves us with the final problem for two-factor: community adoption. I’ve seen many around me move to two-factor authentication after their accounts online were compromised over and over again. As all of these defensive measures increase, the attackers will be forced to move to other parts of the authentication chain, which we will discuss in our 2015 predictions below. While the technology for this prediction was ready in 2014, adoption was not. I’m going to count this as a miss as I was just too early. However, the need for the adaptive perimeter is even greater in 2015 as the Internet of Things and a dynamic, BYOD workforce drive the need. Unlike the other two predictions last year, this one will become more obvious in 2015.
Challenges
In addition to the above three predictions, I had also called out three expected challenges for 2014: Internet of Things security, physical security compromised by 3D printers, and tracking devices. Let us take a closer look at how we did on these. When it comes to Internet of Things security, all one has to do is go sector by sector to see the implications. In 2014, there were vulnerabilities in automobiles, home appliances, and other connected devices that we don’t normally consider a networked device. 3D printers continue to drop in price and users continue to produce amazing and controversial output. This technology on one hand is saving lives, enabling the printing of a perfectly fitted heart valve for an infant, for example. On the other hand, technologists have demonstrated that they can print keys for high-security locks and inexpensive safe-cracking devices, adding a new dimension of vulnerability.
I also predicted a rise in the use of personal tracking devices in 2014. While this prediction did not exactly come to fruition, there are enough apps and features in mobile phones that make tracking a person down very feasible. How many times in 2014 were you asked if an application could use your location information? Much more often than in 2013 I’ll bet, and this trend will only rise, because where you are matters to a lot of people – both good and bad.
Surprises
While it should not be a surprise that attackers will focus their efforts on infrastructural components because the payoff is so great, no one believes it is reality until made real by an active exploit. When news of the Heartbleed vulnerability broke, my opinion was that we should begin to look at other fundamental technology components and the risks they pose if exploited. This attack was a classic low likelihood but high impact black swan event. The ‘bash’ shell was the next big attack vector on the list with the Shellshock bug, and we will be feeling the impact of this for years since Linux is the primary OS in so many embedded systems that remain unpatched. We need to change the way we assess risks in fundamental software components with better threat modeling. While there will always be surprises, we need to be in a state of readiness that diminishes the payoff to the attacker and ensures the utmost levels of business continuity.
In addition to more of the above, I also expect to see a rise in the following security issues in 2015.
Muleware
Unlike malware, muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign. Up until this point, cybercriminals have attained their resources by exploiting and compromising devices. But wouldn’t it be more efficient and much more profitable to pay for these resources and turn thousands of would-be victims into part of the attacker’s supply chain? I envision that this new form of muleware will be based on the anonymity of TOR networking, and commerce conducted via cryptocurrency such as Bitcoin. Marketplaces will connect the demand with the supply, and cybercrime will rise to an entirely new level, a level that we are not prepared to defend against.
Re-authentication
The good news on this front is that authentication methods are getting stronger and the adoption of two-factor authentication is defeating historical brute-force password attacks. The bad news is that attackers are innovating and finding weaknesses in the re-authentication processes where standards are not widely adopted, and one service provider’s metadata may be used as another service provider’s validation secrets. In 2012 we watched as tech journalist Mat Honan was compromised, costing him the loss of his digital journal. And in 2014, we saw call-forwarding features were used to subvert Google’s two-factor authentication. In both cases, the attacker posed as the victim claiming they were locked out of their account. Some systems use a series of questions to re-authenticate, others require you to disclose private information. But it appears that a very persistent and irate customer can almost always get their way, and this is not good when that person is the attacker. In 2015, we will see a rise in this type of reflective re-authentication attack as attackers look for weaknesses along the authentication chain. Authentication systems in general focus on authenticating users, but when that user is in a state of recovery because they have been locked out for some reason, there is just too much flexibility in getting this unauthenticated user back to an operational state, and attackers will continue to defeat these methods until they are stronger.
Ransomware
Ransomware remains profitable, and cyber criminals are always looking for areas to grow their business. To date, victims have mainly been individuals with data from their computers or smartphones being held for ransom. But one industry at great risk here is healthcare. Three factors make it a highly attractive target for ransomware expansion in 2015 — the mandate to move to electronic records, the sensitive nature of healthcare data, and the immaturity of the information security practices that exist in the healthcare industry today. This is a scary notion because we rely so heavily on the availability and accuracy of patient records. The cost of a compromise could range from an inconvenience to loss of life.
Extortionware
Ransomware has mainly been about holding your data captive through encryption, and unless you pay within a window of time – typically 48 hours – your data will be erased and you will not see it again. This would not matter if you had things backed up properly, but that remains to be a problem for everyone.
Extortionware is an expansion on ransomware whereby unless you pay a certain amount to the attacker, the data will be made public for all to see (or for more targeted disclosure). What if the data contains evidence of infidelity, for example? The list of possible incriminating data goes on and on, but you can see how this differs from ransomware. Much like spear phishing, this attack will be much more targeted, but attackers will yield a higher take per victim, and those victims are less likely to involve law enforcement due to the sensitive nature of the data.
As I stated last year, while all of this is truly frightening, the good news is that security technologies and best practices are constantly improving as well. It is up to all of us to stay on top of the latest attack trends and continuously update our security strategies and arsenals to respond more effectively.
