How did last year's security predictions pan out?
- 14 November, 2014 10:00
Every year, our inboxes get hit with a flood of press releases and announcements with predictions for the next year. Well, we're into November and the predictions for infosec in 2015 have started arriving.
But before we look at what the experts think is in store for 2015, we wanted to take a look at a few of last year's predictions to see how they fared in predicting the events and trends of 2014.
What was big in 2014?
Perhaps the most significant aspect when looking at the infosec scene in 2014 is how some of the fundamental building blocks we've come to rely on are now in question.
Early in the year, we had Heartbleed. Disclosed back in April, this flaw in the SSL/TLS libraries affected about 17% of the server on the Internet. Although it was patched the bug had been in the affected OpenSSL libraries for some time.
Before that Apple was in the news as an SSL vulnerability was identified that had been part of the code in OS X and iOS for about six months. "Go To Fail", as the flaw was called, represented a significant embarrassment for Apple, who has long traded on its reputation for being more secure than many of its competitors.
By the middle of the year, we had another bug, the CCS Injection Vulnerability, in the OpenSSL libraries used by many applications exposed. What makes this bug special is that the flaw existed for 15 years before it was found and rectified.
We even have a flaw in USB identified that potentially allows any device you connect to take over your computer. There is no way to protect against BadUSB and it's possible that even wiping your computer's drives and starting over won’t eradicate it as an infection could be spread into internal devices such as webcams that use USB interfaces.
The era of mega breaches continued with eBay probably the highest-profile victim. Their breach, which occurred in late February or early March wasn't disclosed until May.
Not surprisingly, the adversaries we're facing are getting smarter and better resourced. With a flourishing black market in stolen data and other criminal activities such as blackmail and extortion exerted over the Internet, we're seeing more mega data breaches. Home Depot in the US, Adobe, several banks and other targets all having massive number of data records stolen.
In short, it's been a busy year for information security professionals.
Who saw it coming?
Many security analysts predicted that mobile devices would be a significant attack platform in 2014. While it's true that the amount of Android malware has continued to climb and the recent WireLurker flaw was an issue for iOS devices, we haven’t seen or heard of a major breach or attack that used mobile devices as the attack vector.
Several of the reports we reviewed predicted mobile security to be a significant issue. And while it remains an important layer of any well developed security policy and associated procedures, we haven’t seen a broad and damaging mobile-based attack. The Infosec Institute and McAfee both noted that the market for mobile security tools would grow which is true.
Of the reports we reviewed, not a single analyst picked that flaws in previously trusted software would be an issue. This highlights the level of trust we have for what has previously been trusted. Some reports did however get close.
The Websense report noted, "Cybercriminals will target the weakest links in the 'data-exchange chain'". Perhaps the biggest lesson from Heartbleed is that we can no longer trust something just because it hasn’t been exploited yet.
In late 2013, the Target hack, which resulted in at least 70 million customer data records being stolen, was big news. Watchguard and others predicted more attacks where the chain of trust was breached would occur but that doesn’t seem to have been the case although the eBay breach was executed by breaking into the privileged access accounts of some system administrators. While Watchguard's prediction focussed on partners and contractors, the general gist that trusted parties are a point of vulnerability holds true.
What does this mean for 2015?
Many predictions about the future are based on an extrapolation from the past. In many cases that is a valid approach.
Our expectation for 2015 is that security analytics, which was big news at security events we attended, will increase in importance due to the unpredictability of the threat landscape.
Although there will be new attack vectors and threat actors, their activity can be discovered by recognising activity that falls outside the known "normal". We expect enterprises to invest more in understanding their own environments in order to recognise when they are under attack.
Resources will also be focussed on a more detailed security posture. For the last couple of years we've been seeing the network perimeter change and, in some cases, almost disintegrate. Businesses will continue to look for partners and tools that help them identify the key risk areas in their business and target their security efforts accordingly.
When looking at the predictions for 2015, we'd suggest looking at the big picture. It's highly unlikely that someone will predict a specific flaw or exploit unless they have inside knowledge. But by reviewing a brad number of reports and predictions for respected sources, you should be able to identify the main trends so you can focus your attention.
This article is brought to you by Enex TestLab, content directors for CSO Australia.