Massive, high-profile data breaches pockmarked 2014, culminating in the bizarre events surrounding the hack of Sony Pictures—allegedly by North Korea in retaliation for the politically incorrect stoner comedy The Interview. That’s a tough act to follow, but I’m sure 2015 will make an effort. I spoke with security experts to find out what we have to look forward to.
1. IoT: The Insecurity of Things
The Internet of Things has become an inundation of things. Hundreds of innovative, connected devices have emerged to interact with, track, monitor, and simplify just about every area of our lives. But these technologies typically have access to sensitive, personal information, and they also introduce a wide variety of new security issues for attackers to exploit.
2015 may be the year that IoT takes on a new meaning—the Insecurity of Things. “In previous years the Internet of Things was not a big deal," warns Robert Hansen, VP of WhiteHat Labs for WhiteHat Security, "but we’re seeing an increasing number of vulnerabilities in internet capable devices, like TVs, home security systems, automation.”
2. Sophisticated DDoS Attacks
Denial-of-service attacks are more of an annoyance than anything else. They don’t directly steal your information, or cause any overt harm—they just flood a site or service with so much traffic that it becomes overwhelmed and prevents legitimate users from connecting to it. As many Xbox and PlayStation gamers learned over the holidays, though, DDoS attacks are becoming more advanced, and have a very real impact.
“In 2014, DDoS attacks became much more sophisticated. Though much of the reporting focused on the size of attacks, a more troubling trend was the advancement in attack techniques,” stresses Barry Shteiman, director of security strategy for Imperva. He notes that attackers have evolved beyond simple flooding of traffic, and can now morph and adapt based on the defenses in place on the target network.
3. Social Media attacks
Mark Bermingham, director of global B2B marketing at Kaspersky Lab, anticipates a rise in social media and waterholing attacks—compromising a website or service commonly used by the target group in an effort to infect one or more of them, and allow the malware to spread from there. Attackers continue to develop new techniques to exploit social networks. As Bermingham puts it, “Security measures can’t overcome stolen credentials and click-throughs to dubious links.”
Kevin Epstein, VP of advanced security and governance at Proofpoint, agrees that social media attacks are a serious concern for 2015. In a recent blog post, he notes, “In 2015, Proofpoint expects inappropriate or malicious social media content to grow 400 percent as attackers target enterprise social media accounts to perpetrate confidence schemes, distribute malware, and steal customer data.” Greater awareness and vigilance are the best defenses.
4. Mobile Malware
Security experts have been banging the drum about the threat of mobile malware for years. The fact that it hasn’t yet materialized in a major attack has eroded the credibility of the claims, though, which means many users don’t take it seriously and have let their guard down. The sheer volume of mobile devices, and the prevalence of new mobile malware threats only increase the likelihood that a major mobile malware attack will happen. Will 2015 finally be the year?
Kaspersky’s Bermingham said, “As consumers and businesses shift to using mobile devices for a greater percentage of their daily activities, cybercriminals will place a larger emphasis on targeting these platforms—specifically Android and jail-broken IOS devices. Remote find, lock and wipe aren’t enough.”
5. Third-party Attacks
Cybercriminals generally take the path of least resistance, and they’ve learned that contractors and other third-party providers can provide an opening into otherwise-secured corporate networks. Major data breaches at retailers like Target and Home Depot occurred because attackers were able to obtain valid network credentials from trusted, third-party providers, and just walk right in.
This vulnerability extends far beyond corporations, though. Steve Durbin, managing director of the Information Security Forum, stresses that everyone needs to consider who has been entrusted to connect to or access sensitive information, and whether those entities or individuals have appropriate security measures in place.
This list is by no means comprehensive or conclusive. The very nature of innovative exploits means that we may be caught off guard by a completely new attack. And you may not be able to do much, personally, to prevent third-party attacks or DDoS attacks. But you can keep all of your hardware, software and services updated, and employ security controls to defend against attacks. There is no substitute for awareness and common sense.