The 2014 Cybersecurity RoundupFebruary 7, 2014
Navigating the Predictions
This post is part of a series that will address predictions and trends in cybersecurity. In this post, I provide thoughts on the deluge of predictions for 2014.
At the end of each year, we experience the familiar flood of cybersecurity predictions and forecasts by vendors, experts, and researchers. Daily newsfeeds include new reports on cyber predictions and anticipated threats. The volume and buzz is overwhelming. Adding to the mix are numerous articles that discuss or summarize findings in these reports. Even for those of us who work in cyber security, it’s easy to be confused and discouraged by the varied views. The summary is akin to cyber gloom or an anticipated cyber apocalypse.
Navigating the predictions isn't always easy, but with some work, I often dig up some gold nuggets. For 2014 I found common themes including new exploits and stealthier techniques, expansion of malware and botnets, demand for stronger forms of user authentication, increased need for securing mobile devices, protection of data in the cloud, sophisticated threat actors, and the shortage of cyber professionals.
Here's a slice of the 2014 predictions that were on many of the lists, which I think bear watching.
Internet of Things
Several identified security concerns for the Internet of Things (IoT). IoT was also a common theme at the recent International Consumer Electronics Show (CES), which showcased Internet-accessible devices that can monitor and control home appliances, thermostats, door locks, and medical equipment. Hackers will take advantage of this much larger attack surface as millions of devices get connected to the Internet. Symantec predicts that IoT will become the "Internet of Vulnerabilities" whereas Lancope noted that the "Internet of Everything" requires the "Security of Everything."
Computer security researchers recently discovered a large botnet of infected Internet-connected home appliances that delivered malicious spam and phishing emails from the devices. Additional articles discuss the challenges associated with IoT, such as the difficulty with patching and updating devices or devices not designed with appropriate security. I expect articles on IoT security concerns and vulnerabilities to grow in 2014, due to the increased volume of devices that will be connected to the Internet.
Several reports identified threats and vulnerabilities associated with mobile devices, especially with the growing demand of Bring-Your-Own-Device (BYOD). Concerns include potential loss of sensitive data, connecting insecure or infected devices to protected networks, and new threats targeting mobile devices. Particular articles discussed the proliferation of mobile malware, privacy of data, attackers bypassing mobile security defenses, and mobile devices as tracking platforms. No doubt, several vendors made safe bets that mobile device threats and attacks will continue, especially as users increasingly rely on these devices for everyday functions (e.g., mobile banking, connecting to corporate enterprise, and accessing social media services).
Due to data leaks associated with Edward Snowden, several vendors discussed the risk of trusted insiders and leakage of sensitive data. The need for encryption, privacy controls, data loss prevention, and detecting privileged user activity that deviates from normal usage patterns were identified by several vendors. Raytheon predicts that the privileged user will "rise to the top of the cyber-threat pile" in 2014. Keeping data secure and private, while in-transit and at-rest will continue to be highlighted in 2014. This includes articles that describe tools that will thwart the observation and collection of data flowing across the Internet (e.g., NSA-Proof Twitter).
Another common theme was the need for stronger user authentication due to documented exploits (e.g., password vulnerabilities and man-in-the middle attacks). Vendors predict increased adoption of multi-factor authentication services and additional methods, such as biometrics, to authenticate authorized resources. For 2014, I expect to see continued articles on multi-factor authentication services, use of biometrics, and attacks on authentication methods and services (e.g., trojan program on infected computer that hijacks user account). I also predict that we will continue to see periodic articles on the death of passwords.
Several reports described increasing concerns with securing data in the Cloud, including the creation of cloud services by cybercriminals. Of particular interest were predictions on next generation security services for cloud, such as innovations in virtualization, software-defined networking, identity and access management, and current research with encrypting data in the cloud. The cloud predictions also touched on several topics described above. These include use of multi-factor authentication, loss of sensitive data, ensuring privacy of stored data, and the increasing use of mobile ecosystems for accessing cloud services. Articles on cloud security concerns and threats will continue in 2014, especially as users increasingly access sensitive data stored in the cloud.
Summary and Conclusion
Some points to consider when reading those end-of-year cyber predictions:
- Vendors may identify predictions focused on their products and services, especially for particular threats and attack vectors.
- Predictions may be worded in ways that will always turn out to be true, especially those that reflect sure bets and familiar threat landscape. One vendor identified predictions where an event or outcome "may" happen.
- It's worth some time to perform a horizontal review of vendor predictions to assess similarities and differences of what to expect in the coming year. Predictions may be broad or more detailed depending on the particular topic area.
- It also might be useful to perform a vertical review of particular vendors to see their predictions over time and whether their predictions turned out to be true. This would result in added insights on the quality of predictions by vendors and whether the predictions could be validated.
One reason I like reviewing these annual predictions is so that I can discuss particular predictions with staff responsible for cyber defense and threat analysis. If particular trends or exploits are on their radar, then we can take it to the next level by understanding the security implications of emerging exploits and identifying related cyber defense strategies to mitigate and reduce risks. Then we’re more likely to be ready for what cyber gloom awaits us in the year ahead.
What's on your list? Feel free to drop me a note.