2014 was one of the most significant years on record for cyber-security. It was the year hackers took control of the planet, hacking celebrity iCloud accounts, highlighting injustice, targeting government officials, and stealing millions of credit card details.
It looks like the cyber-security industry is losing the battle and now in danger of losing the war. So what does 2015 hold in store in cyberspace? We asked the people at the coal-face of the industry to provide their predictions of what will happen over the next 12 months.
We need to secure the Internet of Things
Sergio Galindo, general manager of GFI Software says:
At this stage, it's hard to imagine that the growing Internet of Things (IoT) marketplace will suddenly collapse given the insatiable appetite for Internet-connected everything. However, there remain concerns about what could hinder its growth, such as cyber-hacking and a general lack of security as IoT device makers focus on functionality rather than security that could hinder the ability to freely and easily connect. Nonetheless, the market is roaring and I expect that companies involved with the IoT implement workarounds to mitigate security issues – largely after incidents happen – in order to keep alive the enormous market and revenue potential for this industry.
What that does mean is privacy concerns will grow as people will become more aware of just how easy it is to see what's happening inside people's homes and businesses. Weak security in 2015 will play its part in allowing privacy to slowly fade away for everyone. As IoT users share more details it will be critical to find solutions that are trustworthy as well as functional.
The year of revolt
Mark Kraynak and Barry Shteiman from Imperva believe the next 12 months will see a big backlash:
2015 could be the year when merchants in the US revolt against the credit card companies' policy of sticking them with both the liability for fraud and the responsibility for protecting what is essentially unprotectable: credit card numbers that have to be shared in order to be used, and which can be abused simply by knowing what they are. Fallout from such a change could vary widely, but it's possible that we will see the rise of separate infrastructure for secure payments (like ApplePay) or a more secure credit card infrastructure (chip and pin) in the United States.
2015 could also be the year when consumers revolt at the prospect of having to change their credit card numbers so often. This has been the typical response to mega-breaches with lots of issuers cycling cards. While this is ultimately in the consumer's best interest, it's a pain for people to re-sign up for automatic payments, update records with their various business associates and begin anew. Besides resulting in the rise of separate infrastructure for secure payments, could we see a credit card company out-compete their peers based on cardholder security?
Encryption becomes standard
Security experts Sophos believe that while encryption is key, not everyone wants it:
With growing awareness of security and privacy concerns due to revelations of intelligence agency spying and newsworthy data breaches, encryption is becoming more important than ever, though not without controversy. Certain organisations like law enforcement and intelligence agencies are unhappy about the prospect of pervasive encryption under the belief that it may adversely impact safety.
The fragmentation of bigger APT groups
Kaspersky Labs say:
A growing number of smaller threat actors are likely to lead to an increase in companies being targeted. Larger organisations are expected to experience a greater number of attacks from a wider range of sources.
Greg Day, CTO, EMEA, FireEye says:
Mobile ransomware will steal your cloud accounts and encrypt the data: Cryptolocker proved to be an effective and easy method for attackers this year, so expect to see attentions turn to mobile next year, as attackers look to leverage the same strategy to gain access to your phone.
Recommendation: Businesses should consider the value they get from cloud-based data protection services and the privacy implications of letting a third party manage their data.
Mainstream iOS attacks will increase
Kevin Mahaffey, co-founder and CTO at mobile security experts Lookout says:
No computing device is immune from attack; however, some are less frequently targeted than others. While targeted remote access trojans (RATs) and exploits have existed on iOS for years, now that iOS has gained significant market share around the world, criminals have begun targeting it more broadly. For example, the WireLurker malware that was discovered in November monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party or malicious applications onto the device, regardless of whether it is jailbroken. This makes all iOS devices vulnerable, not just those that have been jailbroken. As iOS continues to grow around the world, particularly in emerging markets, we'll likely see more attackers focus their efforts on mainstream iOS users.
Threats will continue to change and become more complex
Rob Lay from Fujitsu says:
One of the biggest challenges that companies face is the ever changing nature of the threats. Threats are constantly evolving, and are becoming in many cases much more targeted. There are a few things that companies can look to do to prepare themselves. They need to look at the threat landscape that is actually facing their business, ensure that they have an ability to respond, and gain better visibility into their operating environments.
Bitcoin, ransomware and malware
Security researchers at Eset say ransomware using bitcoin is only going to get more prevalent:
In line with the previous trend, malware developers will continue putting efforts into online currency and payments systems during 2015. For example, in the largest known operation of its type to date, a hacker reportedly harvested over $600,000 in digital currency earlier this year using a network of compromised machines. Through infected NAS devices the attacker created a folder named "PWNED" where a program calledCPUMiner is stored that can be used to mine Bitcoins and also Dogecoins. Interesting note: this kind of attack creates new money instead of stealing it from compromised users, a brand new way of stealing.
More nation states will start building elite cyber espionage teams
Spam and phishing email protection specialists Cloudmark says:
In the past year we have seen evidence of widespread cyber espionage for military, political, and commercial purposes. The big players in the game are currently the US, UK, China, Russia, and Israel. Regin, Flame, Stuxnet, Sandworm, BlackEnergy, and Hikit are all examples of highly sophisticated malware from these countries. Targets included businesses, activists, and industrial control systems as well as the more traditional military and intelligence targets of state sponsored espionage. It is clear that nation state cyber-espionage teams are working to further the commercial aims of businesses in their country as well as having political goals. However, the barriers to entry in this game are minimal, as is the downside if you get caught.
You don't even have the embarrassment of seeing your spies put on trial in a foreign country like the bad old days of the Cold War. Your spies never leave their desks in Beijing or Cheltenham. All you need is a fast Internet connection and a dozen or so great software engineers. While great software engineers are not that common, they are a lot easier to come by than nuclear scientists, so a nation wishing to increase their threat profile will find it far better to put together a cyber-espionage team than a nuclear weapons program. We expect to see the would-be nuclear powers Iran and North Korea exploring cyber-espionage soon, along with a number of other powers both friendly and unfriendly.
Attackers increase focus on mobile payment systems
Mobile payment systems were the talk of 2014 after Apple stormed ahead with Apple Pay. Cyber-criminals will be looking for flaws in these systems, but the present designs have several positive security features. Expect cyber-criminals to continue abusing traditional credit and debit cards for a significant period of time as they are the easier target for now.