As the year draws to a close, security gurus begin the annual ritual of predicting what horrors will befall us after the calendar turns from December to January. While this gloomy approach ignores the potential for actually improving infosec, it also sidesteps the opportunity for reflection. The truth is, any security incidents that will occur in 2015 will be the result of lingering errors created in the past. Here are four dangers that will continue unless we resolve to act now.
Legacy code, present danger
Just because some bit of code has been used since the dawn of time does not mean it has been thoroughly vetted. In the past few months, we saw years-old (or even decades-old) vulnerabilities unearthed in the form of the Heartbleed, Shellshock, Poodle, and Unicorn bugs. It’s nearly impossible to predict where the next of these ancient vulnerabilities will surface, but it’s a fair bet that you’ll find them wherever there is a piece of code that has been used by millions and has been largely unchanged for years. In 2015, security teams should resolve to give that legacy code a thorough review.
Expedience at the expense of security
Last year was not a good one as far as major payment card security goes. It brought us breaches at Neiman Marcus, Michael's craft store, P.F. Chang's, Dairy Queen, Jimmy Johns, Goodwill, Staples, and Home Depot, among others. Predicting another year full of yet more breaches seems like something of a no-brainer.
In the largest of these breaches, at Home Depot, company officials had been warned about flaws in their security. Instead of taking action, they chose expediency over security, and they are now paying the price of millions of unhappy customers. The causes of all these breaches are all basic security concerns: loss of login credentials, lack of adequate network segmentation, absence of encryption, use of default device passwords, and disabling of security features. While we can’t say better security would have prevented all of these events, we can resolve to make breaking-in far more difficult for the attackers.
Malware: Everything old is new again
The headlines may be all about the newest and most unusual malware, but the majority of what affects the average person is still the same old, boring stuff that has been around for ages. Infecting computers usually doesn’t require the newest vulnerabilities, and it doesn’t necessitate the stealthiest tactics. The most effective threats often still rely on old-fashioned social engineering, because criminals are not going to pull out the metaphorical “big guns” if they know they can get their payday with tactics that are simply “good enough.”
Right now, the cost of entry for malware writers is exceedingly low, and the return on investment is very high. Until that equation changes, we’re not likely to see much of a decrease in malware in particular or cybercrime in general. The coming year is likely to bring some improvements, but in fits and starts rather than as a complete sea change. Let’s get that process moving faster.
Looking back to look ahead
For most people, technology is a new and often confusing thing. Many organizations are going digital fairly reluctantly, choosing only the easiest and most user-friendly aspects to deploy. Historically, this has led to a general perception that information security is a drag on innovation -- not an essential feature of the technology infrastructure. As people become more informed, as security products become easier to implement, and as more people become aware of the costs of leaving themselves open to attack, this situation is likely to evolve for the better.
The good news is that old problems, by and large, already have solutions: All we have to do is recognize and implement them. There are a lot of things that we can all do to improve our security. Once we remove the low-hanging fruit, we will make it more costly and difficult for criminals to do their jobs. That’s not to say that removing that fruit will be an easy task -- in fact, it’s far more difficult than our current policy of worrying about the most challenging (one might even say “advanced, persistent”) fruit.
It is my hope that in the coming year, the brilliant minds in this industry will reflect on what we can do to make security simpler and more approachable for the general public.
What are your infosec resolutions for 2015? Please share them in the comments.