It’s a sad fact that for every positive story reported in the infosec industry, the bad guys are giving journalists plenty more to write about. But that trend is true of most sectors, especially those which are concerned in large part with crime.
The difference where security is concerned is the sheer volume of incidents that demonstrate not just a persistent problem, but an escalating one.
Research from Akamai on Q3 2014 demonstrated a 22% increase in DDoS attacks compared with the corresponding period last year. Software vulnerabilities, a Secunia report suggests, have increased by around 40% this year. Phone scams in the UK are also on the rise, and reports of data breaches arrive almost daily, with the sucker-punch on Sony just the latest.
It is against this concerning backdrop that many security analysts are casting their predictions for the year ahead. Following on from our feature detailing the problems encountered this year that show no sign of abating in 2015, this second instalment in Infosecurity’s predictions series looks at what industry experts consider will be the escalating and emerging threats in the next 12 months.
Upping the Ante
Crime perpetrated either online or against computer systems is a growing problem, and an increasingly desirable route for criminals to do harm. Organized cybercrime, correspondingly, is growing, according to Guidance Software’s director of security, Anthony DiBello: “There's more money funding those that commit cybercrimes. These are large groups working together to create sophisticated, targeted attacks attempting to bring down the enterprise.” He adds that, “In the coming year, we predict more widespread use by cyber-criminals of the Tor IP 2 networks, as a means to hide their methods and to recruit others.”
“In the coming year, we predict more widespread use by cyber-criminals of the Tor IP 2 networks”Anthony DiBello, director of security, Guidance Software
The increasing sophistication of these groups is another major cause for concern. Commentators from Neohapsis predict that, in 2015, “Attackers and defenders will repurpose each other’s tools and techniques for their own benefit. Advanced attackers will infect the very systems employed to protect us.”
Denial of service (DoS) attacks, meanwhile, will continue to escalate, argues Arbor Networks’ director of solutions architects, Darren Anstee: “The storm of reflection amplification DDoS attacks is unlikely to abate in 2015. Attackers this year utilized NTP, and then moved on to SSDP to reflect and amplify their attack traffic. There are plenty candidate protocols and, unfortunately, plenty of latent capabilities within the internet for attackers to exploit.”
E Pluribus Unum
Individual, enterprise or state? Which presents the greatest opportunity for attackers to profit? Answering that question seems to be of diminishing importance, because, industry insiders comment, all three will be targeted on an ever-greater scale in 2015.
“Expect to see more cyber-espionage incidents next year,” comments Corey Nachreiner, WatchGuard’s director of security strategy and research, “and hear public perception swaying toward an already-occurring cyber cold war where nation states ‘demonstrate’ cyber capabilities.”
Regarding attacks on individuals, F5 Networks predict that identity theft will “[go] viral]”, pinpointing South-East Asia as a major target: “More people are routinely sharing data loosely with more organizations than ever. Promiscuous sharing of personal information is putting identity data at greater risk than ever, and in some cases offering fraudsters an almost open door.”
“Promiscuous sharing of personal information is putting identity data at greater risk than ever”F5 Networks
It is becoming clichéd to refer to personal data as ‘the new oil’ or ‘the new gold’, but it’s a sentiment that rings true. Varonis VP David Gibson comments that “The vast amount of data being collected on people is increasingly being pieced together into a frighteningly complete picture. This threatens not only individuals but government organizations, corporations and their business partners.”
Cybercrime’s Rude Health
Among the most ‘frightening’ predictions about data misuse relates to growing concerns about how healthcare information could be harvested by criminals. Websense Security Labs comments that, “Healthcare records hold a treasure trove of personally identifiable information that can be used in a multitude of attacks. In an environment still transitioning millions of patient records from paper to digital form, many organizations are playing catch-up when it comes to protecting personal data. As a result, cyber-attacks will increase.”
Lancope’s CTO TK Keanini, meanwhile, sees healthcare as a particular attractive target for ransomware attacks: “Three factors make [healthcare] a highly attractive target for ransomware expansion in 2015: the mandate to move to electronic records, the sensitive nature of healthcare data, and the immaturity of the information security practices that exist in healthcare.”
An Internet of Threats
Many of the concerns relating to the theft of healthcare data arise from the increasing availability of health-tracking wearables. This vector is just one of a wide array predicted to arise as the internet of things gains traction. Checkpoint’s UK MD Keith Bird cautions that, “As more IP-based appliances are introduced into the workplace and home environments, enabling a better-connected, more efficient world, it also gives criminals a better connected, more efficient network for launching attacks.”
WatchGuard’s Corey Nachreiner, however, takes the opposite stance: “Embedded computing devices (IoT or IoE) are everywhere and have security flaws. But today’s cyber-criminals typically don’t just hack for the heck of it; they need motive. There’s not much value to having control of your watch or TV at this point.”
Whether or not fears about the IoT amount to doom-mongering at this point will only be apparent with the benefit of hindsight, but one relatively new tech trend that still represents fertile ground for hackers is mobile devices, particularly given their increased use as payment mechanisms.
Kaspersky Lab’s chief security expert, Alexander Gostev, says the increasing adoption of Apple Pay “will inevitably attract many cyber-criminals looking to reap the rewards of these transactions.”
Follow the Money
While cyber-criminals look for ever more ways to steal and extort, the increasing financial impact on organizations which suffer breaches is another big concern. Joe Hancock, cyber security specialist at AEGIS London, believes that “Attacks are now increasingly destructive. This trend is going to continue, with affected businesses squeezed between a shrinking top-line and rising costs. In 2015 we fully expect a business to fail due to the financial consequences of a cyber-attack.”
Target will go down in infosec history for its major breach, news of which has dominated headlines in 2014. Alert Logic’s chief security evangelist, Stephen Coty, believes that in 2015 the orchestrators of that attack, “will weaponize their successful POS malware to target more online commerce sites, exploiting inexpensive and opens source POS platforms.”
The breach at Target was famously achieved through the compromise of a third-party contractor. SurfWatch Labs founder Jason Polanich believes that “In 2015, organizations will slowly start to better understand the breadth and depth of vulnerabilities in their supply chain, but not before more sizable breaches occur. We will see more attacks that originate from within the supply chain and as such, organizations will scramble to secure their back doors.”
Part 3 of Infosecurity’s 2015 predictions series will focus on how the industry needs to respond to the developing threat landscape. Read Part 1 here