Cybersecurity is poised for a notorious year. The computer security industry had a tumultuous 2014, with significant breaches, compromises, and vulnerabilities permeating the news. Governments, businesses, and huge swaths of everyday people were affected. In the next twelve to eighteen months will see even greater, bolder, and more complex attacks emerge.
This year’s installment for the top computer security predictions highlights how the threats are advancing, outpacing defenders, and the landscape is becoming more professional and organized. New targets will emerge and the expectations of security will rise. As the industry changes, there will be struggles, setbacks, victories, and surprises. Although the view of our cybersecurity future is obscured, one thing is for certain, it will be an exciting ride.
Top 10 Predictions:
Cyber warfare becomes legitimate
Governments will leverage their professional cyber warfare assets as a recognized and accepted tool for governmental policy. For many years governments have been investing in cyber warfare capabilities and these resources will begin to pay dividends. Most activities will remain discrete, but governments will not be apologetic when activities become public. Such national capabilities are another instrument, complementing traditional military and espionage resources, for leaders to use in driving international policy. State sponsored attacks will rise globally, supporting various foreign policy agendas, as will intelligence and surveillance activities.
Active government intervention
Governments will be more actively involved in responding to major hacking events effecting their citizens. The increased law enforcement resources for investigative and forensics functions will aid local authorities and enterprises of key economic and infrastructure organizations, in identifying and prosecuting attackers. Expect government response and reprisals to foreign nation-state attacks, which ordinary business enterprises are not in a position to act or counter. This is a shift in policy, both timely and necessary to protect how the public enjoys life under the protection of a common defense. They may also take on the role as public advocate to point fingers and direct blame, something few companies want to do themselves. This will also be the year which cybersecurity regulations, specifically in response to recognized attacks, emerge and get ratified much faster. Although, the term ‘faster’ is of course relative in comparison to the normal time it takes to pass cyber related regulations. Overall, governments will take a more active and public role to investigate, prosecute, and respond to significant cyber-attacks.
Security talent in great demand
The demand for security professionals is at an all-time high, but the workforce pool is largely barren of qualified candidates. A lack of security workforce talent, especially in leadership roles, is a severe impediment to organizations in desperate need to build and staff an in-house teams. The best talent has been scooped up. Universities are trying desperately to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel. We will see many top level security professionals jump between organizations as big companies are willing to lure them with better compensation packages. The demand will drive a rise in salary for cybersecurity professionals, drawing in more recruits. Eventually, the pipeline of professionals will grow to meet demand, but that will not happen in 2015. Those seeking to fill roles should plan accordingly. Organizations will struggle in filling crucial security roles to protect their business and customers.
High profile attacks continue
High profile targets will continue to be victimized. As long as the return is high for attackers while the effort remains reasonable, they will continue to target prominent organizations. Two types of victims exist, those who have something of significant value and those who are easy targets. As it stands, many large organizations are both easy to compromise and have tremendous value to attackers. Expect more business data theft, forgery, impersonation, and hijacking. Also expect a resurgence of social activists expressing themselves through hacking, in more creative ways than just Denial-of-Service attacks.
The financial industry, although tougher from experience from the past few years of being targeted, will see new attacks intensify. Bank and credit cards remain the easiest to compromise and fraudulently use. Although they will feel more pain, their efforts are making a difference and lessening lower classes of attacks overall. Unfortunately, advanced and directed attacks will continue to be successful. Lastly, we will see more nation-state sponsored cyber warfare attacks against governments and their defense apparatus. The public will see a large variety and number of complex and bold compromises in the next year.
Attacks get personal
We will witness an expansion in strategies in the next year, with attackers acting in ways to put individuals directly at risk. This will take many forms, but the common thread will be a personal feeling of being targeted. Instead of your bank being compromised, it will be your PC infected to steal your account access. The most worrisome tactic will be how cyber attackers will seek ways to threaten damage of the physical world and put people in harm’s way. This may include personal threats, damaging industrial facilities, critical infrastructures, and even tampering with safety controls in devices we operate. This can put human lives at risk. Executives, politicians, government officials, and the wealthy will be singled out and targeted more than ever. Governments will work to monitor political dissidents and effort ways to identify social protesters. High profile individuals will be threatened with embarrassment, exposing sensitive healthcare, photos, online activities, and communication data. Everyday citizens will be targeted with malware on their devices to siphon bank information, steal crypto-currency, and to hold their data for ransom. For many people this year, it will feel like they are being specifically targeted for abuse.
Enterprise risk perspectives change
Enterprises will overhaul how they view risks. Serious board level discussions will be commonplace, with a focus on awareness and responsibility. More attention will be paid to the security of their products and services, with the protection of privacy and customer data beginning to supersede ‘availability’ priorities. There will be much less tolerance for failure or apathy on the part of the CIO, CSO, and CISO.
Changes will be made in how risks are evaluated. Many more considerations are added to the mix and the overall 'impact' potential rises across the spectrum. The ‘who’ and ‘why’ of the attackers becomes important, not just ‘how’ the defenses might be breached. Calculations, now relevant and understandable at the board and C-suite levels, will be included when determining the optimal security posture, thus driving more focus, accountability, funding, and overall visibility. Enterprise leaders will adapt their perspectives to focus more attention on security as a critical aspect to the sustaining success of the business.
Security competency & attacker innovation increase
The security and attacker communities will make significant strides forward this year. Attackers will continue to maintain the initiative and succeed with many different types of attacks against large targets. Their success will encourage more attacks and bolder endeavors. Advanced threats will leverage the tremendous computing power from cloud hosting services to accomplish brute force attacks and support the important command, control, and communication infrastructures necessary for broad and complex attacks. Popular cloud drive services, application stores, and web advertising networks will be used to deliver malware. Crypto currencies such as Bitcoin will continue to be the preferred economy supporting underground activities, compelling more regulation and oversight.
Certificate theft will increase as well as the supporting dark markets who peddle and offer up services using them. Stolen credentials are used to sign malware, making them appear legitimate to slip past network filters and security controls, and in phishing campaigns. This is a highly effective trust-based attack, leveraging the very security structures initially developed to reinforce confidence when accessing online content. Rising demand will drive black market prices higher. Hackers who are adept at compromising networks will realize they can make a quick profit by stealing certificate credentials. Cybercrime will grow quickly in 2015, outpacing defenses and spurring smarter security practices across the community.
Security industry innovation will advance as the next wave of investments emerge and begin to gain traction. Protections for next generation data centers, tools for communication surveillance, attack attribution, threat intelligence, and contextual security controls are a few capabilities which will significantly improve to aid defenders. The security industry will go through another cycle of consolidation where larger companies absorb smaller start-ups to harvest innovation and point products, to expand established offerings. Cross technology alliances will form to allow disparate tools to communicate and collaborate together to increase overall effectiveness of cybersecurity postures. Smarter, not more security, will be the trend.
Malware increases and evolves
Malware numbers will continue to skyrocket, increase in complexity, and expand more heavily beyond traditional PC devices. Malware remains the preferred means to control and exploit systems. Malicious software will continue to grow at a relentless pace, averaging 50%+ year-over-year growth. More sophistication of the code will make detection, analysis, and permanent eradication more difficult. Writers protect their most specialized and insidious code with obfuscation techniques, to keep activities stealthy. This can include the heavy use of encryption, certificates, self-updating, sandbox sensing, system demolition, and self-destruction protocols, all in an effort to make attribution, dissection, and removal problematic.
Malware expands to work on more specialized devices, beyond personal computers and traditional server environments. Industrial, automotive, home devices, phones, tablets, online service environments and even the Apple ecosystem will see more tailored code, putting them at risk.
Two types of malware attacks will see a spike. Ransomeware and theft of banking login credentials will grow significantly to infect end-users devices. As banks are closing easy avenues of attack in their infrastructure, the end-users become the next easiest path of compromise. Second, crypto-extortion will expand into a booming market, where malware encrypts users’ data files and holds them for ransom. Individuals, businesses, and even police departments have succumb to this type of attack. With hundreds of millions of dollars to be made, organized criminals will commit serious resources to this electronic disease. The rapid growth and rising complexity of malware will create significant problems for the security industry.
Attacks follow technology growth
Attackers move into new opportunities as technology broadens to include more users, devices, data, and evolving supporting infrastructures. As expansion occurs, there is a normal lag for the development and inclusion of security. This creates a window of opportunity. Where the value of data, systems, and services increases, threats surely follow. Expect attackers to explore the emerging world of IoT, wearables, home automation devices, banking and Bitcoin ATM and Point-of-Sale machines, and multi-functional digital display and sale devices. Attacks against phones will increase and legacy ATM's will become a favorite target for organized crime. National cyber warfare teams will continue to target communications for intelligence gathering, but will also focus on being able to compromise, monitor and tamper with high-tech industrial controls and critical infrastructures. Attackers are fast-followers for market shifts, attracted by areas of recognizable value, and will seize the new opportunities driven by the adoption of popular technology.
Cybersecurity attacks evolve into something ugly
Cybersecurity is constantly changing and the attacks we see today will be succeeded by more serious incursions in the future. We will witness the next big step in 2015, with attacks expanding from Denial-of-Service and Data Theft activities to include more sophisticated campaigns of monitoring and manipulation. Attackers will compromise defenses to gain internal access and establish a beachhead for conducting long-term surveillance and exploitation. Professional threats will take the time necessary to understand the inner working of their victim and position themselves deliberately to gain from this knowledge.
Foregoing the temptation of a quick smash-and-grab of user and credit account data, they will show patience for a more strategic and profitable purpose. They will begin to tamper with data to manipulate the operations of their host. Combined with long-term data collection, they will use this capability for a variety of financial gains and as a prelude for more insidious control schemes.
Imagine what an attacker can accomplish if they had the ability to tamper with transactions occurring within a financial institution, modify the settings of the safety systems in an industrial control environment, or control the communications infrastructures from trusted entities. This type of integrity attack has not been widely seen to date. Security controls in this space are weak in the industry. Detection and recovery will be very problematic, bordering on nightmarish.
Welcome to the next evolution of security headaches.
I predict 2015 to be an extraordinary year in cybersecurity. Attackers will seek great profit and power, while defenders will strive for stability and confidence. In the middle will be a vicous knife-fight between aggressors and security professionals. Overall, the world will take security more seriously and begin to act in more strategic ways. The intentional and deliberate protection of our digital assets, reputation, and capabilities will become a regular part of life and business
Take a look at previous years predictions to see how cybersecurity history has unfolded.
- Top 10 Cyber Security Predictions for 2014 and Beyond
- Top 10 Security Predictions for 2013 and Beyond
- Security Predictions for 2012 and Beyond
- Security Predictions for 2011 and Beyond
IT Peer Network: My Previous Posts