From banking hacks and malicious mobile apps to insider leaks, 2014 promises to an interesting but challenging year for CISOs. Here, SCMagazineUK.com looks at the issues coming into view.
1. Insider threat isn't going away
Former CIA contractor Edward Snowden may be holed up in Russia but his influence over the IT security sector is still tangible, casting a shaddow over 2014.
That's especially true in the corporate world, with large organisations fearful that their own employees could readily leak data to unauthorised, outside sources.
"Companies should know who they are giving their data to and how it is being protected," said Tim Ryan, managing director and cyber investigations practice leader at US-based risk mitigation and response firm Kroll. "This requires technical, procedural and legal reviews."
Ryan suggests that the “insider threat” is still very real and believes that there may be others like Snowden across a range of organisations.
“There's a tremendous amount of data compromised today where the act is never discovered or disclosed.
"People discount the insider threat because it doesn't make the news. The insider threat is insidious and complex. Thwarting it requires collaboration by general counsel, information security, and human resources."
Malcolm Marshall, UK and global leader of the KPMG Information Protection and Business Resilience team, added that the insider threat could, however, boost Internet privacy.
“Snowden's revelations have triggered a privacy debate which will continue to rage in 2014,” Marshall told SCMagazineUK.com. “Expect more disclosures, more calls for greater transparency over government actions, and more efforts by the Internet giants to persuade customers that their data is secure.”
2. Cyber attacks, including government-sponsored, continue; education and standards prioritised
Government states are stepping up their cyber efforts all over the world, both for offensive and defensive purposes. As just such an example, North Korea reportedly spent some £470 million on a wave of cyber attacks against South Korea between March and June 2013.
2014 will see a continuation of these kinds of efforts, especially with companies and governments increasingly understanding the full repercussions of a cyber attack. Some will even reportedly carry out state-sponsored attacks.
“Within the next couple of years, we will experience an increasing number of cyber attacks resulting in militaristic and economic damage,” said Jarno Limnell, director of cyber security at Stonesoft, when speaking to SCMagazineUK.com.
“As states compete to become credible world players we can expect to see further announcements by various states regarding their offensive and defensive strategies. Cyber is the new battlefield, and the fifth element of warfare. As such, it's likely that future conflicts will involve cyber battles and because of this, states will be - and already are - pouring a huge range of resources into developing defence and offence capabilities for cyber war.”
Limnell added that cyber security education will come into focus in 2014, while KPMG's John Marshall believes that the cyber security threat will see the introduction of voluntary compliance.
“As governments worry about the scale of the cyber security threat, we can expect to see more national standards emerge, and greater pressure for “voluntary” compliance,” he said.
“The US NIST cyber security framework and the UK government's ‘kitemark' are just two examples. On the back of emerging standards we will see the cyber insurance market develop and begin to provide market incentives for compliance, whether that is a willingness to insure or reduce premiums. Non-compliance will also lead to a legal debate over liability for incidents.”
3. Enterprises deploy faster response and recovery solutions
Kroll managing director and Cyber Investigations practice leader Tim Ryan says that companies will look for technology solutions that enable them to react to issues faster than ever before in 2014.
"We've seen a dramatic improvement in response technology over the last year," says Ryan. "Companies have never had a better opportunity to enhance their existing protocols with a methodology that can mean an informed and timely response."
"Companies will gain a better understanding of their actual breach risks, how the breach could actually affect their customers, and the best way to remedy those specific risks and provide better protection to affected customers," he adds.
4. 'Social' the new frontier for cyber crime
Cyber criminals will increasingly attack social platforms in 2014.
“We predict many of the cyber crime tactics that are successful when targeting social networking users will be applied in new, innovative ways within professional social networks,” reads a forecast report from Websense. Indeed, other studies suggest that the frequency of cyber attacks will be so common that consumers will face “data breach fatigue”, meaning they'll be less likely to protect themselves.
Websense cited one example of a fake LinkedIn user pinpointing users for an upcoming phishing campaign, and said that attackers lure in execs by sending messages with innocuous titles like “Invitation to connect on LinkedIn” and “Dear customer”.
5. DDoS attacks get even bigger but Botnets stick around
Distributed denial of service (DDoS) attacks were a big deal in 2013 and could be even more prominent in 2014 – NASDAQ temporarily went down as a result of an attack in August, while Dutch web hosting company CyberBunker caused a global disruption of the World Wide Web with a massive DDoS attack of its own.
If that wasn't bad enough, one study from Corero reveals that most organisations lack an appropriate DDoS response plan, and security experts now warn that the severity of these attacks could get worse over the next 12 months.
“One thing that I have noticed over the past year is that almost all successful DDoS attacks have had massive traffic volumes associated with them,” Joakim Sundberg, security solution architect at F5 Networks, told SCMagazineUK.com. “However, these attacks have not been very smart and volumetric scrubbing, combined with access control, has, in most cases, solved the problems. Volume, as an attack vector itself, will become less relevant as time goes on.
“Instead, I see two main themes emerging. Firstly, over the next 12 months I believe we will see hackers developing more intelligent tools that are capable of adapting to and using the weaknesses in the protection systems of specific targets. Secondly, we will start to see underground organisations refining the user credentials stolen from platforms like Facebook, Gmail and Twitter. There is a huge opportunity for hackers to use stolen passwords in their attacks provided they can be put in the right context.”
“These smarter, more targeted DDoS attacks which leverage context and refined user credentials for specific DDoS campaigns will be a lot more commonplace in 2014.”
Sophos global head of security research James Lyne believes that botnets still curry favour with cyber criminals.
“I know we're talking about stealthier APTs but that doesn't eradicate the threat of the old botnet adversary,” he told SCMagazineUK.com, before adding the ensuing visibility of ZeroAccess, botnet payloads and other botnets that can do everything from mining bitcoins to credit card fraud, is something that needs monitoring.
“In the middle of 2013, there was a dip in ZeroAccess botnets, after a sinkhole traffic effort across the whole industry,” said Lyne. “But after a short period of time the attacks were stronger than before the action was taken.”
Lyne says that hackers are now “squaring up” to businesses, something he puts down to greater skills and more tools.
“They've designed their infrastructure to make [their botnet] immune from sinkhole attacks and moved around the static [security] infrastructure.
“The average cyber criminal has upped their skill level or gained access to new and better tools. In 2014, there will be more players, more competition and more innovation. The quality [of attacks] is going to increase.”
6. Android to see a malware explosion
Google's Android is a constant concern as far as security is concerned, but Lyne thinks that the threats will get worse in 2014.
“In 2013, we've seen a set of cyber trends that are now beginning to take off,” he said. “There are now more malware attacks, and they're actually challenging to deal with,” Lyne told SCMagazineUK.com.
“Now, apps are encrypted to command and control (C&C) as used in the PC world and detection is more difficult. That's actually starting now.”
Lyne urged businesses to put employees on “awareness training”, employ basic configuration to enforce encryption and restrict downloads to being only from trusted app stores, as well as forcing encryption. He added that firms should have a “good hard look” at anti-malware and anti-virus solutions.
7. Internet of Things extends threats to 'dumb' platforms
Internet of Things is a hot new term which describes how devices are interconnected via the internet, but it will be under the microscope as far as security is concerned in 2014.
“You can expect dumb things will get smarter in 2014,” writes Symantec researcher Kevin Haley.
“With millions of devices connected to the Internet—and in many cases running an embedded operating system—in 2014, they will become a magnet for hackers. Security researchers have already demonstrated attacks against smart televisions, medical equipment and security cameras. Already we've seen baby monitors attacked and traffic was shut down on a major tunnel in Israel, reportedly due to hackers accessing computer systems via a security camera system.”
“Major software vendors have figured out how to notify customers and get patches for vulnerabilities to them. The companies building gadgets that connect to the Internet don't even realise they have an oncoming security problem”.
He added that these systems are not just vulnerable to attacks, but also have little way of notifying consumers and businesses when they are discovered.
8. Consumer products penetrate the perimeter, boost demand for security protection
The increasing deluge of smartphones, tablets and other devices into businesses may be improving employee productivity, but they represent a very real – and growing – security risk.
“The security perimeter is a more penetrable boundary and cyber criminals can take advantage of multiple attack vectors to gain access to a company's network,” said Sam Maccherola, VP of sales and general manager for EMEA at Guidance Software, in an interview with SCMagazineUK.com.
“These points of vulnerability - mobile devices, USB drives and Bluetooth speakers - will multiply through next year, making it difficult for organisations to keep track of all the different entry points.
“Just as cybercriminals will exploit the increasing consumerisation of IT, as part of the fight back we're likely to see organisations focused on the extension of security protection to non-corporate owned devices to shore up their defences."
“We will see an increased volume of malware targeting hardware with cybercriminals attacking beneath the operating system. The entry route to infect the network could be mobile devices as cybercriminals use smart phones or USB devices to gain access to PCs via Wi-Fi."
Banks continue to be susceptible to advanced persistent threats (APTs), as well as Man-in-the-Middle attacks which make two-step verification measures inadequate.
9. Regional clouds proliferate
Perhaps unsurprisingly in light of the National Security Agency (NSA) tapping data centres and cloud storage providers in the US, security analysts foresee the rise of regional cloud centres.
Writing for Microsoft's official blog, Trustworthy Computing director Jeff Jones said that this represents an opportunity for vendors.
“In the wake of heightened concerns about unauthorised access to data, we will see the emergence and broad promotion of regional cloud service offerings,” wrote Jones.
“The increased sensitivity to both legal data access and intelligence monitoring will be seen as a market opportunity that will be actioned in two ways – start-ups and existing providers.
“Regional start-ups will see a new opportunity to compete against global providers, while existing providers will develop and offer services delivered from regionally-based data centres in an effort to allay concerns and provide increased customer choice.”
10. Criminals prey on Windows XP vulnerabilities
Microsoft is dropping support for Windows XP in April 2014, and that means no more patches and probably a lot more cyber attacks.
“Once Microsoft halts support of [Windows] XP, companies running the OS will not only be faced with huge custom support costs, but will also expand their attack vector, becoming potential targets for new malware and vulnerabilities targeting unpatched systems,” blogged Avecto's Andrew Avenessian.
“The coming end of support for Windows XP combined with Java 6 (which is already out of support) and the issue of how broadly these legacy platforms are deployed means we are likely looking at the largest number of un-patched and attackable vulnerabilities in history,” wrote Trend Micro's Christopher Budd on a blog post, adding that 20 percent of PCs still run the dated operating system. Just as concerning, most ATMs have yet to transition away from XP.
“If that doesn't describe a perfect storm, I don't know what does,” concludes Budd.