2014 was a particularly busy year for IT security professionals. Many of the threats that we predicted at the start of last year duly emerged, while other significant issues caught the entire sector by surprise.
We anticipated, and saw, increases in social engineering exploits, which led to major data breaches at several well-known organisations. Targeted malware campaigns also stepped up, with RAM scraper and ransomware attacks making headlines. Mobile security problems continued to grow, as employees brought more devices onto organizations' networks.
However, no-one was prepared for the massive vulnerabilities which were discovered in established IT components throughout last year, such as the Heartbleed OpenSSL bug and the BadUSB flaw, which affected tens of millions of trusted websites and devices worldwide. These issues highlighted just how unpredictable – and challenging – it can be to enforce and maintain security.
With all this in mind, here are the 10 IT security threats and trends that I expect to emerge and grow over the course of 2015. I hope that this article will assist organisations in staying ahead of the evolving tactics that criminals use to target them, and mitigate potential security risks.
Our global network of threat sensors revealed that over a third of organisations have downloaded at least one file infected with unknown malware over the past year. Malware authors are increasingly using obfuscation tools so their attacks can bypass detection by anti-malware products and infiltrate networks. Threat Emulation, also known as sandboxing, is a critical layer of defence against this explosion in unknown infectious agents.
Bots will also continue to be a core attack technique, simply because they're effective. Our 2014 Security Report analysed the networks of thousands of companies worldwide, and found 73% had existing bot infections – up 10% compared with 2013. 77% of these infections were active for more than four weeks.
The issue of securing mobile devices will continue this year, growing faster than organisations can control it. We surveyed over 700 businesses globally in 2014, and 42% had suffered mobile security incidents which cost more than $250,000 (around £165,000, AU$310,000) to remediate, and 82% expected incidents to rise during 2015. Worryingly, 44% of organisations do not manage corporate data on employee-owned devices.
As an attack vector, mobile probably provides direct access to more varied and valuable assets than any other individual attack vector. It's also the weakest link in the security chain, giving attackers access to personally identifiable information, passwords, business and personal email, corporate documents, and access to corporate networks and applications.
Biting into mobile payments
The introduction of Apple Pay with the iPhone 6 is likely to kick-start the adoption of mobile payment systems by consumers – along with several other payment systems competing for market share. Not all of these systems have been thoroughly tested to withstand real-world threats, which could mean potentially large rewards for attackers who find vulnerabilities that can be exploited.
Open source, open target
Heartbleed, Poodle, Shellshock. These open source vulnerabilities were highly publicised last year because they affected nearly every IT operation in the world. Critical vulnerabilities in open source and commonly used platforms (Windows, Linux, iOS) are highly prized by attackers because they offer tremendous opportunities, so they will continue searching for these flaws to try and exploit them. Businesses and security vendors will continue responding to them as quickly as possible.
Attacks on infrastructure
Cyber-attacks on public utilities and key industrial processes will continue, using malware to target the SCADA systems that control those processes. As control systems become increasingly connected, this will extend the attack vectors that have already been exploited by well-known malware agents such as Stuxnet, Flame and Gauss.
Whether these exploits are launched by nation states, or by criminal groups, they are already widespread: nearly 70% of critical infrastructure companies surveyed by the Ponemon Institute suffered a security breach over the last year.