Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/22/2014
10:00 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Security News No One Saw Coming In 2014

John Dickson shares his list (and checks it twice) of five of the most surprising security headlines of the year.

It has begun…

No, not the over-the-top holiday shopping advertisements and 24/7 commercialization on the run-up to Christmas. I’m talking about the over-the-top 2015 IT predictions lists and 24/7 prognostications that bombard our screens on the run-up to the new year.

Every year I get a kick out of these: The lists get more entertaining, the predictions range from the obvious to the absurd, and the list makers more numerous than college football bowl games. We’ve even taken a stab at the prediction-making game a couple of times ourselves, but quietly found out we weren’t too great at it.

So instead of cranking out another pro forma list of annual predictions, I thought it would be fun to look back in time, not too far, to identify the top security news events in 2014 that no one saw coming. The intent here is to add a little levity to the annual prediction body of work and, at the same time, try to provide some perspective on key events that transpired this year. Come along…

1. Symantec declaring AV is dead!
In May, Symantec VP Brian Dye declared to The Wall Street Journal that anti-virus was, in fact, dead. Of course, after reviewing Symantec’s financials and realizing that AV represented roughly 40% of the company’s revenue, Brian decided to clarify his remarks. I would have loved to have been a fly on the wall in the CEO offices to witness the discussion prior to those clarifications. Of course, if Symantec would have open-sourced its AV software and updates -- that would have been real news! Or maybe real news will be made in 2015 when an enterprise client finally rips out AV after complaining about it for so long. That, too, would be news. Unfortunately, most CISOs will continue paying their AV and malware tariff and continue griping.

2. NSA staying out of the news (mostly).
Compared to 2013, when Edward Snowden seemed to be releasing revelation after revelation on a weekly basis, NSA and its new director seemed to stay mostly out of the news this year. I’m not sure if Snowden ran out of juicy bits on his thumb drive or if NSA got better at crisis communications, but the result was that there was less sensational news from America’s most famous/infamous ex-pat. Throw in the fact that ISIS seemed to overrun most of Iraq and Syria over a three-day weekend, and the public seemed more interested in finding out how we deal with ISIS than a grumpy former NSA contractor camping out in a less-than-friendly country.

3. Target firing its CEO after a breach.  
I said on Twitter May 5, 2014: "The day information security became real for CEOs across the world." Although many a CIO and CISO have been fired due to breaches, not until Target’s Board of Directors let Gregg Steinhafel go earlier in the year had a CEO been terminated as a direct result of a data breach. I do believe this got the attention of non-IT executives and boards of directors across the country and will be viewed as a watershed event for the industry. No one saw that coming.

4. Heartbleed and Shellshock’s impact on software and hardware manufacturers. 
Up until Heartbleed and Shellshock, security near-death experiences had been the sole domain of banks and other financial services companies or retailers. After these back-to-back vulnerability events, software and hardware companies realized how widely they had implemented the OpenSSL cryptographic library and UNIX bash shell in their products. Most big OEMs were sent scrambling to remediate the problem, which can be an enormous challenge for the larger companies in the crowd.

5. Russia taking out its Crimean frustrations on JPMorgan Chase. 
Perhaps only the most astute foreign policy and security analyst would have connected the dots here, but there is increasing evidence that the Russian government and the organized crime syndicates that call Russia home have been cooperating on the JPMC attack. Many observers view this as a tit-for-tat response for Western sanctions levied against Russia after the annexation of the Crimea into the Russian Federation -- not too different from resuming their Cold War bomber flights off the coasts of the US. Most Americans can’t find Crimea on a map, but they certainly can find their local JPMorgan Chase ATM and are not happy that the Russians might have found it, too.

These are only five security events that no one saw coming in 2014. No doubt there are likely more gems out there. Feel free to comment below and add your favorite. And feel free to tweet your most over-the-top security predictions for 2015, too: @johnbdickson.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/22/2014 | 3:13:31 PM
Re: Some big headlines
@Stratustician,... then what is the their (Target) next step... to hire a guy with a history of a major data breach on his resume... sweet.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
12/22/2014 | 2:39:24 PM
Some big headlines
For me, the firing of Target CEO was a huge deal as for the same reasons you mentioned.  I think this is the first time that a CEO was held responsible for flaws in security, not just the usual CISO or CIO finger pointing.  I'm curious if this will continue, especially once we see the movement of new bills such as S4 here in Canada which will make it a requirement to disclose breach info.
<<   <   Page 2 / 2
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15151
PUBLISHED: 2019-08-18
AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.
CVE-2019-15149
PUBLISHED: 2019-08-18
core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected.
CVE-2019-15145
PUBLISHED: 2019-08-18
DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
CVE-2019-15146
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.
CVE-2019-15147
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.