10 Security Predictions For 2015
2015 Brings No Relief From Threats
Business owner angst about dangerous threats to sensitive data and intellectual property has increased significantly in 2014, driven by a spate of high-profile retail data breaches and ending with the disturbing, and still inexplicable, Sony breach that is worthy of a movie studio script itself. Despite recent law-enforcement victories bringing down CryptoLocker and other dangerous attack tools, the hacking economy thrives. Financially motivated cybercriminals are undertaking multistaged attacks and use increasingly complex and automated back-end systems that sustain their underground hacking markets where they sell and barter their stolen goods and services.
The direness of the situation has hit corporate boardrooms, and the latest studies suggest security is taking up a larger share of IT budgets. CRN pulled together these 10 security predictions that may impact the channel most in 2015, and shape how organizations buy technology and services to bolster their security postures.
10. Growing Army of Cybermercenaries Muddle Threat Landscape
There used to be a clear delineation between financially motivated attacks, hacktivist threats and nation-state-driven cyberespionage. Security experts recommend organizations determine what adversaries they have to defend against, but a growing paid-for-hire army of cybermercenaries are blurring the line between those three types of breaches. Research from Kaspersky Lab on a targeted attack campaign called Icefog first suggested growing signs that private for-hire cybermercenaries may be supporting nation-state attacks. The attackers' only ideology is money. They specialize in hit-and-run operations, getting in and stealing as much data as possible, including the kind of intellectual property coveted by intelligence gatherers. Kaspersky predicted in 2013 to expect "APT-for-hire groups to grow." The confusion over whether North Korea or a hacktivist group was behind the latest Sony Pictures Entertainment breach may be proving that prediction true. The attack on Sony started with a message attempting to extort senior-level executives, a tactic reserved mostly for financially motivated attackers. It then led to leaked emails, unreleased films and other sensitive documents, which rings true with hacktivist motivations. Then it turned to nation-state driven attacks. Maybe Kaspersky's 2013 prediction is holding true and, if so, look for documents in 2015 that point to a growing for-hire cybermercenary force.
9. For Channel, Security Services Raises Significant Growth Opportunity
At the McAfee annual partner summit in Las Vegas, Intel Security executives put pressure on partners to either embrace professional or managed services. Intel Security's Global Channel Chief Gavin Struthers told CRN that those resellers that stick to the old way of doing business could face losing it all.
Gartner predicts that more than 30 percent of security controls deployed to the small or midsize business (SMB) segment will be cloud-based by 2015. Gartner predicts that by 2018, more than half of organizations will use security services firms that specialize in data protection, security risk management and security infrastructure management.
In his channel predictions, Symantec's North American Channel Chief Rick Kramer said the opportunity has forced vendors to be more transparent with their partners and "create dynamic go-to-market strategies for all partner types.’ Vendors can find ways to engage an ecosystem of large partners and determine where niche partners fit in, Kramer said.
8. Meaning Of Internet Of Things Emerges
Speak to any security industry veteran, and they will say there has been a lot of hyperbole about an increased threat posed by the "Internet of Things," but provide few details about exactly what risks Internet-connected devices truly pose to consumers and businesses. Nearly every security vendor predicts threats posed by an increasing number of Internet-enabled devices. Security vendor Cyberoam warns that as supervisory control and data acquisition (SCADA) systems adopt "IOT" it could increase risks to critical infrastructures.
The discussion will turn to software security and getting manufacturers of sensitive devices that contain embedded systems to bolster their security vulnerability response processes. Manufacturers of connected devices should create a way to patch critical vulnerabilities. It's a problem easier said than done, and may come down to dollars and cents, embedded systems experts tell CRN. A manufacturer of an Internet-enabled teddy bear will accept the risk that the bear's embedded OS could become corrupted. On the other hand, health-care organizations will increasingly hold medical device manufacturers to a much higher standard and, in turn, may pay a premium to do business with a maker of wearable medical gear that can demonstrate its strong security approach.
7. Malware Sophistication Fuels Adoption Of Endpoint Security Protection
Security vendor Malwarebytes said malware writers are increasingly using tactics that shed the need for a physical file on the system by setting up a staging ground within system memory. "This will likely be a trend adopted by new and existing malware families in 2015, and the antivirus and antimalware communities will make necessary changes to combat this new threat," the company said. Meanwhile, Kaspersky Lab predicts attackers will create malware that can gain access to the core operating system in automated teller machines in 2015. Attacks currently require direct access to the ATM. Kaspersky predicts the multistaged attack would compromise bank networks and use that level of access to manipulate ATM machines in realtime, Kaspersky said.
6. Rise Of More Powerful Analytics
Steve Hultquist, chief evangelist at security vendor RedSeal, predicts that 2015 will bring a wave of adoption of more "proactive analytics for attack prevention." The prediction sheds light on a growing market of pure-play threat intelligence and security analytics vendors attempting to gain market share. Forrester Research is tracking some 30 or 40 emerging security vendors competing in this space. Some vendors specialize in making sense of the myriad alerts generated by security information event management systems; others use agents to collect endpoint and network data and help incident responders by putting more substance behind alerts. Yet others use Hadoop clusters to find previously unseen data connections that could signal a threat. Look for some clear winners to emerge by the end of 2015, in addition to some acquisition activity.
5. More Cloud Data Breaches Ahead?
Despite increased cloud security and transparency, high-profile breaches will take place in the cloud in 2015, according to Vijay Basani, CEO of managed security services provider EiQ Networks. Basani predicts a repeat of the security incident last year in which hackers gained access to celebrity Apple iCloud accounts. Apple denied the incident occurred due to a breach of its systems, including iCloud or Find my iPhone. The company said hackers targeted celebrity accounts by obtaining user names, passwords and guessing answers to security questions. Despite all the security provided by cloud services providers, security experts point out that the weakest link is typically the user. Basani's prediction could become reality this year.
4. Email Attacks Become Popular Again
Security vendor Websense Security said web-based attacks will continue to reign, but it predicts that email will become an integral role in data compromises. "With all eyes primarily focused on the more advanced and obvious threats, we expect email threats to increase as attackers evolve their techniques and reconnaissance operations to bypass the limits of current email security solutions," said Carl Leonard, principal security analyst at Websense Security Labs. Meanwhile, Trend Micro predicts that social media will be increasingly abused as infection vectors in the future.
3. Reinforcing Passwords With Biometrics
U.K.-based research firm Juniper Research predicts that biometrics will be increasingly adopted as a second factor for payments and other sensitive transactions. The research firm points out that markets where the mobile device is already used for personal authentication, such as Scandinavia and the Baltic states, will rapidly incorporate biometrics as an additional factor. Apple Pay includes Touch ID, and Android device makers are increasingly adding fingerprint identification support on smartphones. The pieces are in place, but the mobile payment market is still in flux with a variety of interest groups vying for attention. Apple and other companies are looking closely at consumer use of fingerprint identification. Could the rollout of more modernized point-of-sale systems bring about broad adoption of biometrics as a second factor in 2015?
2. NFC Mobile Payments Continues To Struggle
Despite the attention being given to mobile payments as a result of Apple Pay, some industry analysts predict that the technology is not going to be broadly integrated by retailers. Paying with a mobile phone is seen by some as a way to bolster security, if the scheme is properly protected. But NFC was invented for low-value, high-volume merchants such as fast-food restaurants and convenience stores, said Andrei Charniauski, an analyst at IDC. Charniauski told CRN that that many retailers will not invest in NFC at all because they won’t be able to benefit from the extra layer of consumer engagement. Instead, retailers are eyeing similar payment schemes implemented by Starbucks or Walmart, which connect to customers through a mobile application. There’s little promise that new and innovative security improvements can emerge and be widely adopted due to this fragmented mobile payment ecosystem. In addition, Trend Micro warns in its predictions that attackers are already hunting for weaknesses in Apple Pay and NFC, and the first attacks could take place in 2015.
1. Widespread Vulnerability To Cause Disruption, Data Loss
Client-side vulnerabilities that impact web browsers and their components, Microsoft Office, Adobe Reader and other applications will continue to be an issue, but at least one network security industry luminary predicts more endemic flaws. H.D. Moore, the creator of the Metasploit attack toolkit and chief research officer at Rapid7, warns organizations to be ready for another year in which vulnerabilities comparable to Heartbleed and Shellshock, the open source vulnerabilities that were widely in use in network devices and other system components, will result in a major disruption and possible data loss. Security researchers are increasingly focusing on open source projects, yielding more vulnerability reports. Meanwhile, attackers are probing networking gear to target weaknesses in open source libraries.