Cyber risks for 2015
Tim Keanini looks back on security in 2014 and ahead to the cyber risks for business in 2015.
Now that 2014 has come to a close, it is time to make some security predictions for 2015 and look back at last year to see what we got right, what we got wrong, and what surprised us.
I made three predictions late in 2013 about the evolution of security defences for 2014.
- The first was that incident response would finally mature to the level of other first-class business processes.
- The second was an increase in the implementation and adoption of two-factor authentication, and
- The third was the use of software-defined networking (SDN) to defend against the most advanced attacks.
I think two of the three predictions were correct, with the SDN prediction being somewhat accurate but not culminating in the full adoption I had anticipated. Out of necessity, service providers were knee deep in SDN in 2014, but large enterprise adoption is more likely in 2015.
Incident response finally matures to a business process
Incidents in 2014 affected everyone. Businesses and individuals alike were scrambling to put together an effective incident response plan because no-one was spared from the threats. This was unfortunate but necessary for the adoption of plans, as businesses and humans do not change their behaviour until there is an impact on them at an emotional level. These events in 2014 will drive stronger incident response readiness in 2015, which is great news. However, it will also cause the attackers to innovate as we continue to co-evolve in this security spiral.
Increase in two-factor authentication
As I predicted, more services online implemented two-factor authentication in 2014, and more two-factor technology vendors have emerged, making implementation, administration and maintenance much simpler. The site Two Factor Auth tracks the services across many industries that have implemented two-factor authentication, and offers a button for going on Twitter and nagging the services that have yet to implement it. On this site you will also find a list of two-factor authentication providers, which has more than doubled in 2014.
This leaves us with the final problem for two-factor: community adoption.
I've seen many folks around me move to two-factor authentication after their accounts online were compromised over and over again. As all of these defensive measures increase, the attackers will be forced to move to other parts of the authentication chain, which we will discuss in our 2015 predictions below.
Software-defined networking (SDN) and the adaptive perimeter
While the technology for this prediction was ready in 2014, adoption was not. I'm going to count this as a miss as I was just too early. However, the need for the adaptive perimeter is even greater in 2015 as the Internet of Things and a dynamic, bring your own device (BYOD) workforce drive the need. Unlike the other two predictions last year, this one will become more obvious in 2015.
2014 security challenges - Internet of Things, 3D printers, tracking devices
In addition to the above three predictions, I called out three expected challenges for 2014: Internet of Things (IoT) security, physical security compromised by 3D printers, and tracking devices. Let us take a closer look at how we did on these.
When it comes to IoT security, all one has to do is go sector by sector to see the implications. In 2014, there were vulnerabilities in cars, home appliances, and other connected devices we do not normally consider a networked device.
Users continue to produce amazing and controversial output with 3D printers. While this technology is saving lives, enabling the printing of a perfectly fitting heart valve for an infant, for example, technologists have demonstrated that they can print keys for high-security locks and inexpensive safe-cracking devices, adding a new dimension of vulnerability.
I also predicted a rise in the use of personal tracking devices in 2014. While this did not exactly come to fruition, there are enough apps and features in mobile phones that make tracking a person down very feasible. How many times in 2014 were you asked if an application could use your location information? Much more often than in 2013 I'll bet, and this trend will only rise, because where you are matters to a lot of people - both good and bad.
2014 Security surprises
While it should not be a surprise that attackers will focus their efforts on infrastructural components because the payoff is so great, no-one believes it is reality until made so by an active exploit. When news of the Heartbleed vulnerability broke, my opinion was we should look at other fundamental technology components and the risks they pose if exploited. This attack was a classic low likelihood but high impact black swan event. The "bash" shell was the next big attack vector on the list with the Shellshock bug, and we will be feeling the impact of this for years since Linux is the primary OS in so many embedded systems that remain unpatched.
We need to change the way we assess risks in fundamental software components with better threat modelling. While there will always be surprises, we need to be in a state of readiness that diminishes the payoff to the attacker and ensures the utmost levels of business continuity.
2015 Security predictions
In addition to more of the above, I also expect to see a rise in the following security issues in 2015:
Unlike malware, muleware solicits the participation of the user and offers incentives to play a small role in the attack campaign. Up until this point, cybercriminals have attained their resources by exploiting and compromising devices. But wouldn't it be more efficient and much more profitable to pay for these resources and turn thousands of would-be victims into part of the attacker's supply chain? I envision that this new form of muleware will be based on the anonymity of TOR networking, and commerce conducted via a cryptocurrency such as Bitcoin.
Marketplaces will connect the demand with the supply, and cybercrime will rise to an entirely new level, a level that we are not prepared to defend against.
The good news is that authentication methods are getting stronger and the adoption of two-factor authentication is defeating historical brute-force password attacks. The bad news is that attackers are innovating and finding weaknesses in the re-authentication processes where standards are not widely adopted, and one service provider's metadata may be used as another provider's validation secrets.
In 2012 we watched as tech journalist Mat Honan was compromised, costing him the loss of his digital journal. And in 2014, we saw call-forwarding features used to subvert Google's two-factor authentication. In both cases, the attacker posed as the victim claiming they were locked out of their account.
Some systems use a series of questions to re-authenticate, others require you to disclose private information. But it appears that a very persistent and irate customer can almost always get their way, and this is not good when that person is the attacker.
In 2015, we will see a rise in this type of reflective re-authentication attack as attackers look for weaknesses along the authentication chain.
Authentication systems in general focus on authenticating users, but when that user is in a state of recovery because they have been locked out for some reason, there is just too much flexibility in getting this unauthenticated user back to an operational state, and attackers will continue to defeat these methods until they are stronger.
Ransomware remains profitable, and cyber criminals are always looking for areas to grow their business. To date, victims have mainly been individuals with data from their computers or smartphones being held for ransom.
One industry at great risk here is healthcare. Three factors make it a highly attractive target for ransomware expansion in 2015 - the mandate to move to electronic records, the sensitive nature of healthcare data, and the immaturity of its information security practices. This is a scary notion because we rely so heavily on the availability and accuracy of patient records. The cost of a compromise could range from an inconvenience to loss of life.
Ransomware has mainly been about holding your data captive through encryption, and unless you pay within a window of time - typically 48 hours - your data will be erased and you will not see it again. This would not matter if you had things backed up properly, but that remains a problem for everyone.
Extortionware is an expansion on ransomware whereby unless you pay a certain amount to the attacker, the data will be made public for all to see (or for more targeted disclosure).
What if the data contains evidence of infidelity, for example? The list of possible incriminating data goes on and on, but you can see how this differs from ransomware. Much like spear phishing, this attack will be much more targeted, but attackers will yield a higher take per victim, and those victims are less likely to involve law enforcement due to the sensitive nature of the data.
While all of this is truly frightening, the good news is that security technologies and best practices are constantly improving as well. It is up to all of us to stay on top of the latest attack trends and continuously update our security strategies and arsenals to respond more effectively.