2014: The Year of Shaken Trust

We can rebuild that trust.

Vincent Weafer, Senior Vice President, Intel Security

December 9, 2014

5 Min Read

Trust was probably the biggest casualty of the past year in security. Consumers were confronted with multiple thefts or exposure of their personal information, from credit cards to healthcare to social networks. Businesses had their confidence shaken with the discovery of significant code vulnerabilities in widely used software. National and local governments inadvertently exposed personal information about citizens.

In the long term, we’re going to have to deliver an e-commerce model in which security is built-in by design, seamlessly integrated into every device at every layer of the computing stack. In the short term, CEOs will be (and have been) called to testify before Congress, CxOs will lose their jobs, and the industry will focus on breach detection and response. There will continue to be consequencesfor getting security and privacy wrong. If organizations fail to protect our information, governments will increase the scope of rules and regulations, as well as the severity of punishment.

Consumer credit-card information continues to be a valuable target in the United States, where cards with magnetic stripes are still in common use and easier to hack than chip-and-pin cards. The growing use of digital wallets is increasing the credit-card attack surface. However, attacking point-of-sale systems is just the tip of the iceberg. We expect the number of devices on the Internet of Things (IoT) to surpass the number of mobile devices sometime in 2015, and to keep growing. As these intelligent, Internet-connected devices experience exponential growth, they provide a rich target for cyber criminals. Based on research from Intel Security’s McAfee Labs and our partners, 90% of these devices collect at least one piece of personal information, 80% have weak password protection, and 70% have other security exposures. The wide variety of hardware and software modules that make up these devices makes securing each device a difficult task. To augment IoT device security, we will see an increase in network security and chip-based security solutions.

For governments and businesses, confidence in their Internet servers to store and serve data securely was hit hard in 2014, with a number of major vulnerabilities, including Heartbleed, Shellshock, and BERserk. Application vulnerabilities were on a declining trend from 2006 to 2011, but have climbed steadily since then and have now surpassed the previous peak. Unfortunately, some of these vulnerabilities are found in the malware isolation technique known as sandboxing, implemented by many popular applications. External or standalone sandboxes are containing these threats for now, but cyber criminals are exploring ways for their malware to escape those confines as well.

Cyber Espionage Poses Increased Threat

Possibly the greatest threat we have seen this year is the refinement of cyber espionage campaigns toward long-term intelligence gathering, made possible by sophisticated detection-avoidance tactics. Although this field is mostly the domain of nation-state actors for now, we expect that cyber criminals will study and emulate these techniques. The development and deployment costs of cyber espionage attacks will leave most cyber criminals in the smash-and-grab game. However, some companies with very valuable digital assets or significant enemies will find themselves the target of one or more of these sophisticated attacks, in which the goal is to gather intelligence over time and eventually sell it to the highest bidder.

These and other sophisticated threats have exposed the weakness of relying on multiple defenses that are disconnected from each other. Identifying and containing these attacks requires information sharing, data correlation, and human collaboration at all levels, from laptop malware scanners to enterprise firewalls, security operations centers, and even the security vendors themselves. At the FOCUS 14 security conference, for example, Intel Security demonstrated McAfee Threat Intelligence Exchange (TIE), which unifies and correlates threat data from global sources with local intelligence information to more quickly identify attacks and narrow the gap from initial encounter to containment.

We have also seen greater inter-company collaboration this past year, with more to come. Intel Security, Symantec, Fortinet, and Palo Alto Networks co-founded the Cyber Threat Alliance, a group of security vendors committed to quickly sharing information on zero-day vulnerabilities, advanced persistent threats, and indicators of compromise, to improve defenses and better protect organizations and consumers. We have seen several collaborative, cross-border takedowns of criminal botnets, such as Operation Tovar. We expect to see more of this collaboration among vendors, government agencies, law enforcement, and academics in 2015, across competitive and political barriers, resulting in greater knowledge sharing and more takedowns of cyber criminals.

We have certainly not seen the last exploits of the high-severity vulnerabilities of 2014. Rebuilding trust and confidence will be a priority for 2015, but this means changing the security postures of many organizations. On the plus side, whether we are talking about physical or virtual security, as the threats and attacks increase, the defenses must adapt. Security on a chip will change the security paradigm for servers and endpoints, including mobile and IoT devices. Biometrics and password-management tools will address the weak link of user ID and password authentication. Data-analysis tools, fast threat intelligence sharing, and improved telemetry from security sensor devices will reduce the time to detection by building better reputation and behavior models.

The public has been reawakened to the risk of cyber threats by the very public and very meaningful security events of 2014. But as an industry, we are responding with stronger collaboration among products, vendors, and governments. These steps will go a long way toward restoring that lost trust.

About the Author(s)

Vincent Weafer

Senior Vice President, Intel Security

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team is dedicated to advancing the research and intelligence gathering capabilities required to provide the latest protection solutions in malware, host and network intrusion, email, vulnerability, regulatory compliance, and web security.

Vincent has an extensive range of experience gained over 25 years in the information technology industry, including 11 years as the leader of Symantec's Security Response team. He is also a highly regarded speaker on Internet security threats and trends, with coverage in national and international press and broadcast media. He has been invited to testify on multiple government committees including the States Senate Committee on the Judiciary hearing on Combating Cyber Crime and Identify Theft in the Digital Age in April 2010, the United States Sentencing Commission's Public Hearing on Identity Theft and Restitution Act of 2008 in March 2009, and the United States Senate Committee on Commerce, Science, and Transportation on Impact and Policy Implications of Spyware onConsumers and Businesses in June 2008. In addition he has presented at many international conferences and was a committee member of the IEEE Industry Connections Study Group (ICSG) 2009-2010, and has also co-authored a book on Internet Security.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights