After a year of big data breaches like Home Depot and Sony, and widespread security vulnerabilities in our shared software, which spawned the likes of Heartbleed and Shellshock, it’s easy to predict that cybersecurity will be a hot topic in 2015.
Our new Security Threat Trends 2015 report investigates the biggest security risks on the horizon and explains the real-world impact of evolving threats on businesses and consumers.
Here are the 10 things we believe will have the biggest impact on security in 2015 and beyond.
1. Exploit mitigations reduce the number of useful vulnerabilities.
Cybercriminals have for years feasted on Microsoft Windows. Fortunately, Microsoft has invested in exploit mitigations, which makes writing attack code more difficult. As the difficulty of exploitation increases, some attackers are moving back to social engineering and we also see attackers focusing on non-Microsoft platforms.
2. Internet of Things attacks move from proof-of-concept to mainstream risks.
In 2014 we’ve seen more evidence that manufacturers of Internet of Things (IoT) devices have failed to implement basic security standards, so attacks on these devices are likely to have nasty real world impact. The security industry needs to evolve to deal with these devices.
3. Encryption becomes standard, but not everyone is happy about it.
With growing awareness of security and privacy concerns due to revelations of intelligence agency spying and newsworthy data breaches, encryption is finally becoming more of a default. Certain organizations like law enforcement and intelligence agencies are unhappy about it, under the belief that it will adversely impact safety.
4. More major flaws in widely-used software that had escaped notice by the security industry over the past 15 years.
From Heartbleed to Shellshock, it became evident that there are significant pieces of insecure code used in a large number of our computer systems today. The events of 2014 have boosted the cybercriminals’ interest in typically less-considered software and systems for the years to come – so you should be preparing your response strategy.
5. Regulatory landscape forces greater disclosure and liability, particularly in Europe.
The law moves slowly compared to the technology and security fields, but massive regulatory changes that have been a long time coming are nearly here. It is likely these changes will trigger consideration of more progressive data protection regulation in other jurisdictions.
6. Attackers increase focus on mobile payment systems, but stick more to traditional payment fraud for a while.
Mobile payment systems were the talk of 2014 after Apple stormed ahead with Apple Pay. Cybercriminals will be looking for flaws in these systems, but the present designs have several positive security features. Expect cybercriminals to continue abusing traditional credit and debit cards for a significant period of time as they are the easier target for now.
7. Global skills gap continues to increase, with incident response and education a key focus.
As technology becomes more integrated in our daily lives and a supporting pillar of the global economy, the cybersecurity skills shortage is becoming more critical and broadly recognized by governments and industry. This gap is growing larger with some governments forecasting that they will need until 2030 to meet the present demand for security professionals.
8. Attack services and exploit kits arise for mobile (and other) platforms.
The last few years of cybercrime have been hallmarked by the rise of products and services to make hacking and exploitation point-and-click easy. With mobile platforms being so popular (and increasingly holding juicy data too) it won’t be long until we see more crime packs and tools focusing on these devices explicitly. We may also see this trend come to fruition for other platforms in the IoT space as these devices proliferate around us.
9. The gap between ICS/SCADA and real world security only grows bigger.
Industrial Control Systems (ICS) are typically 10 years or more behind the mainstream in terms of security. Over the next couple of years I anticipate we will see a number of far more serious flaws exposed and used by attackers as motives vacillate between state-sponsored attacks and financially motivated ones. In short, it is an area where many are at significant risk.
10. Interesting rootkit and bot capabilities may turn up new attack vectors.
We are in the process of changing major platforms and protocols from those that we have relied on for some time and these lower level changes will bring interesting lower level flaws that cybercriminals may be able to capitalize on. We are on the edge of a mass of major changes to the old guard technology standards. Watch this space for old wounds re-opened and major new security flaw categories.
That’s just a taste … read the full report here (it’s a free download, no registration necessary): Security Threat Trends 2015.