To say that 2014 was eventful would be an understatement. So, looking forward to this year, can we put the large-scale breaches behind us? Not likely! Here's what I think 2015 has in store for us:
Tried and true malware techniques will continue to evolve
Recent highly effective social engineering ploys such as those utilised in ransomware will continue to terrorise businesses. The criminals may begin to get away with less money through awareness and proper backup procedures by the intended targets, but there will still be plenty of unsuspecting victims whose data will be at risk and likely compromised, still costing the business itself.
The widening use of individual cloud storage services will begin to pose a larger risk to businesses
The use of Dropbox, OneDrive, Box, Google Drive, as well as all of the other cloud storage services by individuals as a means to more easily access documents in multiple locations will pose a greater risk to personal as well as professional targets, as company documents and data comingle with personal files in the cloud.
Point-of-Sale malware will continue to disrupt big box stores, retailers and restaurants
2014 proved to be the year of the breach and that was due to a rash of PoS-style malware. These programs were often very simple in design and had one job, to siphon credit card and account information from transactions as they happened. The seemingly simple manner in which this malware keeps making its way into these systems is also troublesome and is a sign that these systems will continue to be major targets throughout 2015.
The bevy of breaches that occurred during 2014 and the abundance of credit card details and other personal information obtained from them will lead to an increase in spear-phishing and other more targeted attacks.
So much private personal information exists on the cyber-underground now that criminals will be able to put together very specific personal profiles of their targets, thanks to these breaches coupled with further information gleaned from social media. This information will be integral for highly targeted attacks or to be used in such a way as to defeat new card technologies.
The TOR network and P2P networks will see a rise in use by botnets and benign services as well
More sophisticated malware will continue to avoid detection by hiding in common services and using non-traditional forms of communication such as TOR or Peer to Peer. On the other hand Facebook's new experimental move into the TOR network may inspire other reputable services to provide anonymous access, thereby enticing new users who may have been unwilling to try them beforehand.
The increased use of wearable technology and the associated data produced will begin to be examined a little deeper
With the ever-expanding marketplace of health and fitness apps coupled with wearable devices monitoring our every move, heartbeat, and location, continuing to gain popularity, compromised security or just poor privacy settings will leak this personal data out into the world and people will begin to wonder where it is all ending up and what it's being used for.
Expect to see a lot of this data being used in target marketing.
Unexposed vulnerabilities in widely used platforms and protocols will continue to be a goal for attackers
Last year showed us some major issues with secure communication, such as SSL with flaws leveraged by Heartbleed and a long-time bug in Bash with Shellshock. The discovery of vulnerabilities such as these will continue to be a major goal for attackers and defenders alike.
Mobile payment systems work aggressively to make digital payments through services such as Apple Pay, Google Wallet and CurrentC much more secure
Vendors have been trying hard to change the way we make transactions with features such as Near Field Communication and virtual wallets in our mobile devices. Unfortunately early adoption has left a bit too much to be desired thanks to security issues and concerns. Look for these to be addressed immediately, and a slow roll out to more retailers in 2015.
Thanks also to these early flaws and the attack on the CurrentC payment system through third-parties which led to the leak of the email addresses of early adopters, we can expect mobile payment systems and architectures to be a highly likely target of attack.
The ever-growing increase in mobility could spell trouble for BYOD policies
Businesses that have very loose or even no Bring Your Own Device (BYOD) policies may be in trouble as more and more people are moving to smart devices where business and personal data live side by side. This could create a sharp increase in lost or compromised data collected from these devices.
Acts of cyber-aggression will continue between many nation states including the US and China
We may not be privy to the majority of these attacks against infrastructure or corporate espionage between our collective countries, but evidence suggests that the internet has become an important tool in every aspect of our lives including war and politics. Expect this "boots at home" tactic to remain in the playbook as a first move in most conflicts, whether it be just reconnaissance or even the disabling of infrastructures and communications.
Forewarned is forearmed.
- Fred Touchette is senior security analyst at AppRiver