Experts pick the top 5 security threats for 2015

Who could top the Sony hack? Someone will surely try. Experts weigh in on the most likely security exploits for the new year.

Massive, high-profile data breaches pockmarked 2014, culminating in the bizarre events surrounding the hack of Sony Pictures--allegedly by North Korea in retaliation for the politically incorrect stoner comedy The Interview. That's a tough act to follow, but I'm sure 2015 will make an effort.  I spoke with security experts to find out what we have to look forward to.

1. IoT: The Insecurity of Things

The Internet of Things has become an inundation of things. Hundreds of innovative, connected devices have emerged to interact with, track, monitor, and simplify just about every area of our lives. But these technologies typically have access to sensitive, personal information, and they also introduce a wide variety of new security issues for attackers to exploit.

2015 may be the year that IoT takes on a new meaning - the Insecurity of Things. "In previous years the Internet of Things was not a big deal," warns Robert Hansen, VP of WhiteHat Labs for WhiteHat Security, "but we're seeing an increasing number of vulnerabilities in internet capable devices, like TVs, home security systems, automation."

2. Sophisticated DDoS Attacks

Denial-of-service attacks are more of an annoyance than anything else. They don't directly steal your information, or cause any overt harm--they just flood a site or service with so much traffic that it becomes overwhelmed and prevents legitimate users from connecting to it. As many Xbox and PlayStation gamers learned over the holidays, though, DDoS attacks are becoming more advanced, and have a very real impact.

"In 2014, DDoS attacks became much more sophisticated. Though much of the reporting focused on the size of attacks, a more troubling trend was the advancement in attack techniques," stresses Barry Shteiman, director of security strategy for Imperva. He notes that attackers have evolved beyond simple flooding of traffic, and can now morph and adapt based on the defenses in place on the target network.

3. Social Media attacks

Mark Bermingham, director of global B2B marketing at Kaspersky Lab, anticipates a rise in social media and waterholing attacks--compromising a website or service commonly used by the target group in an effort to infect one or more of them, and allow the malware to spread from there. Attackers continue to develop new techniques to exploit social networks. As Bermingham puts it, "Security measures can't overcome stolen credentials and click-throughs to dubious links."

Kevin Epstein, VP of advanced security and governance at Proofpoint, agrees that social media attacks are a serious concern for 2015. In a recent blog post, he notes, "In 2015, Proofpoint expects inappropriate or malicious social media content to grow 400 percent as attackers target enterprise social media accounts to perpetrate confidence schemes, distribute malware, and steal customer data." Greater awareness and vigilance are the best defenses.

4. Mobile Malware

Security experts have been banging the drum about the threat of mobile malware for years. The fact that it hasn't yet materialized in a major attack has eroded the credibility of the claims, though, which means many users don't take it seriously and have let their guard down. The sheer volume of mobile devices, and the prevalence of new mobile malware threats only increase the likelihood that a major mobile malware attack will happen. Will 2015 finally be the year?

Kaspersky's Bermingham said, "As consumers and businesses shift to using mobile devices for a greater percentage of their daily activities, cybercriminals will place a larger emphasis on targeting these platforms--specifically Android and jail-broken IOS devices. Remote find, lock and wipe aren't enough."

5. Third-party Attacks

Cybercriminals generally take the path of least resistance, and they've learned that contractors and other third-party providers can provide an opening into otherwise-secured corporate networks. Major data breaches at retailers like Target and Home Depot occurred because attackers were able to obtain valid network credentials from trusted, third-party providers, and just walk right in.

This vulnerability extends far beyond corporations, though. Steve Durbin, managing director of the Information Security Forum, stresses that everyone needs to consider who has been entrusted to connect to or access sensitive information, and whether those entities or individuals have appropriate security measures in place.

This list is by no means comprehensive or conclusive. The very nature of innovative exploits means that we may be caught off guard by a completely new attack. And you may not be able to do much, personally, to prevent third-party attacks or DDoS attacks. But you can keep all of your hardware, software and services updated, and employ security controls to defend against attacks. There is no substitute for awareness and common sense.

Join the CSO newsletter!

Error: Please check your email address.

Tags 2015 predictionssecuritysecurity awarenessSony Picturessonymalware

More about Home DepotImpervaKasperskyProofpointSonyXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts