Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
John B. Dickson
John B. Dickson
Connect Directly
E-Mail vvv

Security News No One Saw Coming In 2014

John Dickson shares his list (and checks it twice) of five of the most surprising security headlines of the year.

It has begun…

No, not the over-the-top holiday shopping advertisements and 24/7 commercialization on the run-up to Christmas. I’m talking about the over-the-top 2015 IT predictions lists and 24/7 prognostications that bombard our screens on the run-up to the new year.

Every year I get a kick out of these: The lists get more entertaining, the predictions range from the obvious to the absurd, and the list makers more numerous than college football bowl games. We’ve even taken a stab at the prediction-making game a couple of times ourselves, but quietly found out we weren’t too great at it.

So instead of cranking out another pro forma list of annual predictions, I thought it would be fun to look back in time, not too far, to identify the top security news events in 2014 that no one saw coming. The intent here is to add a little levity to the annual prediction body of work and, at the same time, try to provide some perspective on key events that transpired this year. Come along…

1. Symantec declaring AV is dead!
In May, Symantec VP Brian Dye declared to The Wall Street Journal that anti-virus was, in fact, dead. Of course, after reviewing Symantec’s financials and realizing that AV represented roughly 40% of the company’s revenue, Brian decided to clarify his remarks. I would have loved to have been a fly on the wall in the CEO offices to witness the discussion prior to those clarifications. Of course, if Symantec would have open-sourced its AV software and updates -- that would have been real news! Or maybe real news will be made in 2015 when an enterprise client finally rips out AV after complaining about it for so long. That, too, would be news. Unfortunately, most CISOs will continue paying their AV and malware tariff and continue griping.

2. NSA staying out of the news (mostly).
Compared to 2013, when Edward Snowden seemed to be releasing revelation after revelation on a weekly basis, NSA and its new director seemed to stay mostly out of the news this year. I’m not sure if Snowden ran out of juicy bits on his thumb drive or if NSA got better at crisis communications, but the result was that there was less sensational news from America’s most famous/infamous ex-pat. Throw in the fact that ISIS seemed to overrun most of Iraq and Syria over a three-day weekend, and the public seemed more interested in finding out how we deal with ISIS than a grumpy former NSA contractor camping out in a less-than-friendly country.

3. Target firing its CEO after a breach.  
I said on Twitter May 5, 2014: "The day information security became real for CEOs across the world." Although many a CIO and CISO have been fired due to breaches, not until Target’s Board of Directors let Gregg Steinhafel go earlier in the year had a CEO been terminated as a direct result of a data breach. I do believe this got the attention of non-IT executives and boards of directors across the country and will be viewed as a watershed event for the industry. No one saw that coming.

4. Heartbleed and Shellshock’s impact on software and hardware manufacturers. 
Up until Heartbleed and Shellshock, security near-death experiences had been the sole domain of banks and other financial services companies or retailers. After these back-to-back vulnerability events, software and hardware companies realized how widely they had implemented the OpenSSL cryptographic library and UNIX bash shell in their products. Most big OEMs were sent scrambling to remediate the problem, which can be an enormous challenge for the larger companies in the crowd.

5. Russia taking out its Crimean frustrations on JPMorgan Chase. 
Perhaps only the most astute foreign policy and security analyst would have connected the dots here, but there is increasing evidence that the Russian government and the organized crime syndicates that call Russia home have been cooperating on the JPMC attack. Many observers view this as a tit-for-tat response for Western sanctions levied against Russia after the annexation of the Crimea into the Russian Federation -- not too different from resuming their Cold War bomber flights off the coasts of the US. Most Americans can’t find Crimea on a map, but they certainly can find their local JPMorgan Chase ATM and are not happy that the Russians might have found it, too.

These are only five security events that no one saw coming in 2014. No doubt there are likely more gems out there. Feel free to comment below and add your favorite. And feel free to tweet your most over-the-top security predictions for 2015, too: @johnbdickson.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
12/22/2014 | 3:13:31 PM
Re: Some big headlines
@Stratustician,... then what is the their (Target) next step... to hire a guy with a history of a major data breach on his resume... sweet.
User Rank: Moderator
12/22/2014 | 2:39:24 PM
Some big headlines
For me, the firing of Target CEO was a huge deal as for the same reasons you mentioned.  I think this is the first time that a CEO was held responsible for flaws in security, not just the usual CISO or CIO finger pointing.  I'm curious if this will continue, especially once we see the movement of new bills such as S4 here in Canada which will make it a requirement to disclose breach info.
<<   <   Page 2 / 2
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-11
DLL Search Order Hijacking vulnerability in the Microsoft Windows client in McAfee Tech Check and earlier allows local users to execute arbitrary code via the local folder placed there by an attacker.
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.