This year has been a big one for data breaches. According to the Identity Theft Resource Center’s 2014 Data Breach Category Summary, as of November 25 there had been a total of 81,443,910 records reported exposed by security breaches. The numbers include only breaches reported by credible sources (government agencies and media) and do not include data that’s encrypted. The report includes seven categories of data loss: insider theft, hacking, data on the move, subcontractor or third party, employee errors and negligence, accidental Internet exposure and physical theft.
What types of threats should IT security professionals expect to deal with in the new year? The answer is likely “more of the same” – along with brand new threats that are sure to arise in response to the emergence of new technologies.
One way to predict the future is to look at the past. The past says that as any new tech becomes popular and in widespread use, attackers will start to target it. That only makes sense. If the reason for robbing banks is because “that’s where the money is,” then the reason for targeting the most popular devices and software is because “that’s where the data is.” And these days, it’s all about the data.
As mobile computing grew into a massive market, hackers who previously had focused on attacking desktop operating systems turned their attention to Android and iOS. If the wearable computing trend – smart watches, smart glasses, smart clothing – really does catch on as some industry experts are predicting, look for hackers to go after the software running on those devices.
The Internet of Things will also open up new opportunities for attackers, who may be able to sneak into both home and business networks through the open back doors that will be created by a plethora of devices that, because they aren’t considered “computers,” may not be updated regularly. Their vulnerabilities may go unnoticed – until the bad guys ferret them out and develop exploits. If 2015 is the year that all the “things” get connected in earnest, we’ll have to be prepared to start dealing with these new attack vectors.
A key characteristic of the IoT is that more and more machines will be sharing data without direct user supervision. Attackers have long seen people as the weakest link in the security chain, exploiting human weaknesses via social networking. Thus many security policies have focused on user education in relation to prevention of data leakage. In an IoT world, hackers will turn more to exploiting machine trust, which is usually based on digital certificates.
This doesn’t mean users won’t continue to be vulnerable; they will. It just means that now, in addition to worrying about exploits of human trust, we also have to worry about the millions or billions of devices that are becoming more autonomous and making decisions for us.
New, highly computerized cars are also ripe for hacking. Every year, vehicles are marketed with more sophisticated technology and the high end 2015 models can even steer themselves into parking spaces, and some have a 4G LTE Internet connection that can act as a mobile hotspot. This is great for us techie types who prefer surfing the web to maneuvering into parallel parking spaces, but it also presents a golden opportunity for hackers who now have a brand new shiny target for their malware. Security researchers demonstrated years ago that it was possible to remotely unlock a vehicle and start its engine by hacking into the security system. As more of the car’s systems are dependent on computers, more of them will be vulnerable to attackers.
Location services will continue to be used by more and more applications, bringing along the consequent privacy and security issues that are involved in having one’s physical location constantly tracked and that information sent over the public Internet. It will become increasingly difficult to move around the world or even go down the street without being tracked, as geolocation devices are embedded in more and more items.
Big data is another burgeoning trend that comes with security issues of its own. The sheer volume of data involved means bigger privacy and security headaches, and it’s exacerbated by the nature of the data, which often includes a great deal of unstructured data. The security measures that we’ve used in the past to protect data were not designed to handle such a massive scale and were made with relational databases in mind. As companies embrace the big data phenomenon, IT will need to pay particular attention to securing NoSQL and other non-relational data stores.
A troubling trend that we may see growing in 2015 is that of attackers using exploit kits to accomplish their dirty work. This is bad news because it means more opportunity for criminals who aren’t technically savvy enough to devise their own attacks can easily do so using these kits.
Finally, on the consumer front, new mobile payment systems will represent low-hanging fruit to attackers. In 2015 we can expect more users to adopt the practice of making point-of-sale payments at retail and service establishments with mobile wallet apps and NFC-enabled hardware. If Apple Pay gives the kind of boost to the mobile payment market that the iPhone did to smart phones and the iPad did to tablet, we could see a real boom in this form of transactions and subsequently a deluge of attacks aimed at them.
In summary, 2014 kept IT security pros scrambling, with news about another serious vulnerability or data breach hitting us seemingly every few days. Heartbleed, bash/Shellshock, Sandworm, Masque and other high-profile vulnerabilities and exploits impacted a wide diversity of devices, and no platform was spared. This trend of targeting Linux, iOS and other non-Microsoft operating systems and software – along with Windows and its applications – is very likely to continue in 2015 as more and more users own devices running on different platforms.
Not only will attacks grow more prevalent and spread across more types of devices, but they are likely to continue to grow more intense in terms of consequences; fewer modern attackers are nerdy kids hacking just for fun and more are professionals who are in it for a profit – or even terrorists aiming at causing more serious harm than just monetary loss. That’s why it’s vitally important for IT security pros to stay on top of their games and not let their guards down as we rush headlong into the new year.