The evolution of methods and tactics used by the modern day cybercriminal could well see 2014 remembered as 'the year of cyber-attacks.' Large-scale data breaches at major retail chains, attacks on data stored in the cloud and massive vulnerabilities revealed in decades-old code dominated column inches worldwide last year.
And what have we got coming our way this year? We'll consider that shortly, but first, let's look back over what 2014 served up in terms of security worries.
Cybersecurity trends in 2014
Cloud breaches: 2014 proved the data-rich cloud to be easy to hack and highly profitable for cybercriminals, as evidenced by the nude celebrity pictures leaked via a breach of iCloud. But perhaps the biggest demonstration of hackers going after the cloud was the OpenSSL Heartbleed vulnerability, which opened up a wealth of attacks on cloud services like Dropbox and Google Drive.
Aggressive cyber-attacks: We also saw cybercrime shift from simple data theft at the corporate level to nation-state and other political actors seeking to destroy data or hold it for ransom. In 2014, cyber-attacks became much more aggressive and strategic in their targeting.
Social targeted: The business community's increased use of social networking last year predictably saw attackers compromise high-traffic social websites such as LinkedIn. Hackers also used social media data to research and lure executives to other infected sites. This highly targeted method was used effectively to gather intelligence and compromise networks, and the case of Iranian hackers targeting US officials via social networks is a prime example of this.
Weak links exploited: On a similar note, 2014 also saw hackers increasingly target weak links, such as consultants who are outside the corporate network. We witnessed multiple examples of high-profile breaches along these lines, such as JP Morgan, Target and Home Depot.
Malware decrease: 2014 also saw a decline in advanced malware volume, reducing cybercriminals' dependence on high-volume advanced malware and driving them towards more targeted attacks, such as the virus GameOver Zeus.
Old Java: Businesses' continued dependence on outdated versions of Java left them highly exposed to exploitation. The unwillingness of IT departments to replace old Java versions that 'still work fine' was exploited by cybercriminals, who devoted more time to finding new uses for tried-and-true attacks and crafting advanced, multi-stage attacks.
Threats coming our way in 2015
If last year's trends alone haven't been a catalyst for businesses to take a closer look at the flaws in their security systems and start rectifying the vulnerabilities in their data protection policies, then the promise of more of the same in 2015 must be.
Healthcare threat: Attacks on the healthcare industry will intensify in 2015. Healthcare records hold an unparalleled level of personally identifiable information that can be used in a multitude of attacks, from identity fraud to financial exploitation, making them a highly tempting target for attackers.
IoT danger: We're already seeing proof-of-concept hacks against refrigerators, home thermostats and cars being widely reported as the Internet of Things (IoT) accelerates the connectivity of everyday items. However, the big threat from IoT will likely occur in a business environment, rather than at a consumer level. In 2015, manufacturing and industrial environments in particular will see an increase in attack volume.
Cyber-espionage: The techniques and tactics of nation-state cyber-espionage and cyber-warfare activities have primarily been successful. As a result, additional countries will look to develop their own cyber-espionage programs. We will see an increase in loosely affiliated 'cells' that conduct cyber-terrorist or cyber-warfare initiatives independent from, but in support of, nation-state causes.
Watch for increasing cyber-espionage activities from countries with high forecasted global economic growth. These countries are more likely to be the next to engage in cyber-warfare and espionage activities to protect and advance their growing affluence.
Retail targeted: With billions of dollars there for the taking, cyber-attacks against retail companies are sure to continue this year. As the retail sector escalates its defences, and security measures such as Chip and PIN technology are mandated, look for cybercriminals to accelerate the pace of their credit card data theft and fine-tune their malware to obtain a broader range of data on their victims.
Mobile attacks: Our increasing reliance on smartphones as an authentication measure and the auto-login capability of mobile apps will offer a wider open goal to cybercriminals. We will see an increase in mobile devices being targeted for broader credential stealing or authentication attacks, which will use mobile devices as an access point to increasingly cloud-based enterprise applications and data resources.
Old source code: Old source code is the new Trojan horse, just waiting to be exploited. In 2015, at least one major breach, a veritable treasure trove of data, will trace its origins to confidential company data improperly transmitted or secured on publicly available cloud storage sites based on old code foundations.
- Carl Leonard is Principal Security Analyst at Websense