Attacks/Breaches

12/22/2014
10:00 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Security News No One Saw Coming In 2014

John Dickson shares his list (and checks it twice) of five of the most surprising security headlines of the year.

It has begun…

No, not the over-the-top holiday shopping advertisements and 24/7 commercialization on the run-up to Christmas. I’m talking about the over-the-top 2015 IT predictions lists and 24/7 prognostications that bombard our screens on the run-up to the new year.

Every year I get a kick out of these: The lists get more entertaining, the predictions range from the obvious to the absurd, and the list makers more numerous than college football bowl games. We’ve even taken a stab at the prediction-making game a couple of times ourselves, but quietly found out we weren’t too great at it.

So instead of cranking out another pro forma list of annual predictions, I thought it would be fun to look back in time, not too far, to identify the top security news events in 2014 that no one saw coming. The intent here is to add a little levity to the annual prediction body of work and, at the same time, try to provide some perspective on key events that transpired this year. Come along…

1. Symantec declaring AV is dead!
In May, Symantec VP Brian Dye declared to The Wall Street Journal that anti-virus was, in fact, dead. Of course, after reviewing Symantec’s financials and realizing that AV represented roughly 40% of the company’s revenue, Brian decided to clarify his remarks. I would have loved to have been a fly on the wall in the CEO offices to witness the discussion prior to those clarifications. Of course, if Symantec would have open-sourced its AV software and updates -- that would have been real news! Or maybe real news will be made in 2015 when an enterprise client finally rips out AV after complaining about it for so long. That, too, would be news. Unfortunately, most CISOs will continue paying their AV and malware tariff and continue griping.

2. NSA staying out of the news (mostly).
Compared to 2013, when Edward Snowden seemed to be releasing revelation after revelation on a weekly basis, NSA and its new director seemed to stay mostly out of the news this year. I’m not sure if Snowden ran out of juicy bits on his thumb drive or if NSA got better at crisis communications, but the result was that there was less sensational news from America’s most famous/infamous ex-pat. Throw in the fact that ISIS seemed to overrun most of Iraq and Syria over a three-day weekend, and the public seemed more interested in finding out how we deal with ISIS than a grumpy former NSA contractor camping out in a less-than-friendly country.

3. Target firing its CEO after a breach.  
I said on Twitter May 5, 2014: "The day information security became real for CEOs across the world." Although many a CIO and CISO have been fired due to breaches, not until Target’s Board of Directors let Gregg Steinhafel go earlier in the year had a CEO been terminated as a direct result of a data breach. I do believe this got the attention of non-IT executives and boards of directors across the country and will be viewed as a watershed event for the industry. No one saw that coming.

4. Heartbleed and Shellshock’s impact on software and hardware manufacturers. 
Up until Heartbleed and Shellshock, security near-death experiences had been the sole domain of banks and other financial services companies or retailers. After these back-to-back vulnerability events, software and hardware companies realized how widely they had implemented the OpenSSL cryptographic library and UNIX bash shell in their products. Most big OEMs were sent scrambling to remediate the problem, which can be an enormous challenge for the larger companies in the crowd.

5. Russia taking out its Crimean frustrations on JPMorgan Chase. 
Perhaps only the most astute foreign policy and security analyst would have connected the dots here, but there is increasing evidence that the Russian government and the organized crime syndicates that call Russia home have been cooperating on the JPMC attack. Many observers view this as a tit-for-tat response for Western sanctions levied against Russia after the annexation of the Crimea into the Russian Federation -- not too different from resuming their Cold War bomber flights off the coasts of the US. Most Americans can’t find Crimea on a map, but they certainly can find their local JPMorgan Chase ATM and are not happy that the Russians might have found it, too.

These are only five security events that no one saw coming in 2014. No doubt there are likely more gems out there. Feel free to comment below and add your favorite. And feel free to tweet your most over-the-top security predictions for 2015, too: @johnbdickson.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Eamon_Walsh1
50%
50%
Eamon_Walsh1,
User Rank: Apprentice
12/23/2014 | 11:54:01 PM
Re: 2015 Nomination: Cyber-Murder
Precisely why services like Citrix Netscaler and other similar ADCs like Fortinet and Barracuda feel free to monger enough scare that we would buy one of their 'safety nets'. TBH though, Netscaler and F5 do offer some degree of immunity against DDOS and SSL attacks. (more here:bit.ly/1uNXuNY)
aws0513
50%
50%
aws0513,
User Rank: Ninja
12/23/2014 | 4:02:52 PM
Re: 2015 Nomination: Cyber-Murder
I suspect this will be more along the lines of some group conducting a DDoS against emergency services.

Oh... wait...  that already kinda happened...
www.reuters.com/article/2014/12/10/us-usa-new-york-chokehold-anonymous-idUSKBN0JO2HG20141210

 
Some Guy
50%
50%
Some Guy,
User Rank: Strategist
12/23/2014 | 3:03:37 PM
2015 Nomination: Cyber-Murder
I'm just waiting for the headline that includes "Cyber Murder". With the ability to hack insulin pumps and pacemakers, and the growth of IoT and Wearables, it's only a matter of when, not if.
jdickson782
50%
50%
jdickson782,
User Rank: Author
12/23/2014 | 2:17:45 PM
Re: Some big headlines
Don't forget the non-executive board of directors too.  They have that whole fiduciary duty thing going on... :-)
jdickson782
50%
50%
jdickson782,
User Rank: Author
12/23/2014 | 2:16:21 PM
Re: Some big headlines
Another anecdote to further drive home your point, Stratustician, I've presented at more board meetings on behalf of CISO's than the rest of my security career combined.  And that's as a non-CISO, outside consultant....
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/23/2014 | 8:58:50 AM
Re: Some big headlines
I agree for the fact that system have flaws and breaches can happen, however it the damage is disastrous and impacting to whole network that means C suite, security experts and staff did not do their jobs. They needed to have layered security measures so impact of a security breach would be minimized.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/23/2014 | 8:54:19 AM
Re: Some big headlines
As long as they can declare that in their resumes. The same goes for CISO, I bet nobody is looking to hire Sony Picture's CISO
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/23/2014 | 8:51:38 AM
Re: Some big headlines
It is good idea to hold CEO responsible, they are the one who are holding final budget commitment decision and most not doing it in favor of secure environment. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/23/2014 | 8:49:17 AM
Many saw actually
 

Lots of security experts have been talking about security flaws in different systems and architecture. They have not been heard simply because nobody wanted to hear them. It involves real dedication to security and commitment to the budgets. Most companies thought they can get away with simple measures instead of making strategic decisions and real investment in security. I would not be surprised if it gets worse. 
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
12/22/2014 | 4:21:30 PM
Re: Some big headlines
To an extent, just because a CISO or other C level was around during a time that a breach occurred, doesn't mean they are at fault personally nor does it make them less qualified. Realistically stuff happens, no matter how skilled a team is. It's about how the response is dealt with that personally, I think is the bigger issue. Take responsibility and initiative and I think most folks would agree it's a sign of good leadership. Ignore the situation and redirect blame, not so good.
Page 1 / 2   >   >>
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So now we are monitoring the monitor?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14623
PUBLISHED: 2018-12-14
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulne...
CVE-2018-18093
PUBLISHED: 2018-12-14
Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.
CVE-2018-18096
PUBLISHED: 2018-12-14
Improper memory handling in Intel QuickAssist Technology for Linux (all versions) may allow an authenticated user to potentially enable a denial of service via local access.
CVE-2018-18097
PUBLISHED: 2018-12-14
Improper directory permissions in Intel Solid State Drive Toolbox before 3.5.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2018-3704
PUBLISHED: 2018-12-14
Improper directory permissions in the installer for the Intel Parallel Studio before 2019 Gold may allow authenticated users to potentially enable an escalation of privilege via local access.