Over the past couple of months, my inbox has filled up with predictions from vendors, analysts and security thinkers on what they think will create havoc or solve our problems in 2015.
Before I get on to that, I think it is important to understand what was predicted for 2014. Some were correct – we saw a lot more activity around Internet of Things/Everything, the arrival of version 1.0 of the FIDO Alliance standard took authentication in a new direction, more interest in SSL should be a continuing trend for 2015, while Ken Westin, security researcher at Tripwire, seemed to be closes, saying that “we will continue to see large scale compromises of user data including user name and passwords”.
Have we seen a huge impact because of the Edward Snowden leaks and Government surveillance? There’s no doubt it is still a present topic, but I would argue that in 2014 we haven’t seen the story shape our world as much. Also some more “failed” predictions related to more confidence in the cloud and more advanced mobile malware – in my view we are still in the same place as 12 months ago, and in many predictions before that.
I concluded by 2014 look forward 12 months ago with the line “it is likely that there will be more use of cloud, more aggressive and sophisticated malware and more headlines generated by this summer’s activity”. So I was right on some levels I suppose.
Looking at what has ended up in my inbox for this year, I identified 15 common trends. I have automatically removed the general cloud and malware predictions, partly for reasons given above and partly because everyone is predicting changes in those spaces. The 15 prediction trends are as follows:
- Internet of Things
- A growth in the cyber crime economy
- Supply Chain attacks
- Point of Sale attacks
- Renewed risk management
- New tools and solutions emerging
- Cyber insurance
- C-level and board influence
- Major software flaws
- Identity-as-a-Service
- Compliance and regulation
- Encryption
- Ransomware
- Major breaches
- Malvertising
Undoubtedly the most popular was Internet of Things (IoT) and wearable technology. Trend Micro claimed that they “remain too diverse” and as criminals will not be able to launch truly effective attacks against them, they will instead target the data generated by these devices, making device manufacturers a particular target in 2015.
Dave Larson, CTO at Corero Network Security called them “faceless devices” which are systematically making their way into our businesses and everyday personal lives.
Quentyn Taylor, director of information security at Canon for EMEA, said: “Insider threats are not necessarily the result of rogue employees driven by malicious intent. Any employee with a device that stores information, whether it’s the latest wearable device or even a mobile phone, can be at risk of inadvertently compromising data security. Consider, for example, Google Glass and its potential to capture and leak sensitive information by employees, whether intentionally or not, in a BYOD context.
“If confidential business data is being recorded at a mere glance, regardless of whether there is the intent for misuse, this raises clear issues that businesses increasingly need to address. Things get even more complicated when you consider wearable technology that can’
t be removed – such as wireless pacemakers or cochlear implants. For businesses with strict security policies regarding connected devices, the new wave of wearable technology may force them to rewrite the rulebook in order to make allowances while still protecting their systems from insider breaches.”
Another area that was especially of interest with predictors was “major software flaws”, especially apparent after Heartbleed, Shellshock and Poodle hit the headlines in 2014. Blue Coat said that “vulnerability seekers have had their first taste of this, and there’s no going back now”, while ExtraHop said that the flaws “were a wake-up call for many IT organisations” and “should indicate more is to come”.
HD Moore, Chief Research Officer, Rapid7, said: “The ‘big bugs’ of 2014 were not in Microsoft products for once. We still see tons of client-side issues, including IE and Office zero-days, but the issues that keep ‘breaking the internet’ are endemic flaws in open source software that really should be better by now. Plan for another year in which vulnerabilities in open source libraries and system components result in major disruption and possible data loss.”
The third most popular prediction was in the data protection and regulation space, especially apparent given the expected movements with the European Data Protection Directive next year. Sophos claimed that “massive regulatory changes that have been a long time coming” and it is “likely these changes will trigger consideration of more progressive data protection regulation in other jurisdictions”.
ProofPoint said that after the year of the data breach, lawmakers will take action to draft and pass national laws not only for data breach reporting, but also mandating privacy and data protection standards and controls, with legal and financial repercussions for organisations that fail to meet them.
Rob Lay, solutions architect for enterprise and cyber security for UK & Ireland at Fujitsu, said: “Businesses ought to look at consolidating their regulatory and compliance requirements into a single set of requirements which will then allow a more strategic approach to be taken to ensuring compliance.”
Sian John, chief security strategist for EMEA at Symantec, said: “2015 will see continued focus and concerns on privacy and how information is being used as the EU looks to implement its new Data Protection Legislation. For businesses in Europe, juggling the need to ensure compliance with the new regulations, while keeping pace with the global economy by using their vast amounts of data to drive new services and revenue streams, will create new challenges for organisations in 2015.”
Perhaps the other prediction that caught my eye was in point of sale (POS) attacks and flaws, which enabled attacks on US retailers Target, Staples and Home Depot among many. FireEye said that it expected to see more “creative targeting” as large retailers harden their defences and more criminals get into the game looking for untapped potential victims.
Stephen Coty, chief security evangelist at Alert Logic, said: “In 2015, I feel that retailers will continue to be a major target, and as they start implementing tighter security strategies, the attack vector will change. I believe we will see more data exfiltration from online e-commerce sites that rely on open source or low cost POS systems that may not be as secure as an onsite POS network that is segregated from the rest of a corporate network. As the retail industry begins to invest in their security posture, victims of POS attacks through brick and mortar retail stores may decline.”
I am aware that predictions are pure crystal ball-gazing and opinion, but what I wanted to do was get an idea of common trends and themes. Hopefully this has given you more of an overall perspective of what is likely to be bothering you in 2015.
For a more in-depth conversation, join me with analyst Richard Stiennon and researcher Tom Cross on 6th January at 4pm GMT for a discussion on these and other 2015 predictions here – https://www.brighttalk.com/webcast/11399/138375
Thanks to the following companies for their predictions which made this review possible: Trend Micro, Surfwatch Labs, Accellion, Rapid7, Centrify, Symantec, Yubico, Canon, Blue Coat Systems, Safenet, Lancope, Varonis, Alert Logic, Kaspersky Lab, Cloudmark, Corero Network Security, NaviSite, Netwrix, Thales, McAfee, Perforce, Co3 Systems, Watchguard, SkyHigh Networks, ExtraHop, Fujitsu, Lookout, CipherCloud, NTT Com Security, EY, FireEye, Sophos, AdaptiveMobile, Ping Identity, Absolute Software, NTT Europe, Veracode, OpenText, ForgeRock, Imperva, ESET, ProofPoint and BAE Systems.