Trust was probably the biggest casualty of the past year in security. Consumers were confronted with multiple thefts or exposure of their personal information, from credit cards to healthcare to social networks. Businesses had their confidence shaken with the discovery of significant code vulnerabilities in widely used software. National and local governments inadvertently exposed personal information about citizens.
In the long term, we’re going to have to deliver an e-commerce model in which security is built-in by design, seamlessly integrated into every device at every layer of the computing stack. In the short term, CEOs will be (and have been) called to testify before Congress, CxOs will lose their jobs, and the industry will focus on breach detection and response. There will continue to be consequencesfor getting security and privacy wrong. If organizations fail to protect our information, governments will increase the scope of rules and regulations, as well as the severity of punishment.
Consumer credit-card information continues to be a valuable target in the United States, where cards with magnetic stripes are still in common use and easier to hack than chip-and-pin cards. The growing use of digital wallets is increasing the credit-card attack surface. However, attacking point-of-sale systems is just the tip of the iceberg. We expect the number of devices on the Internet of Things (IoT) to surpass the number of mobile devices sometime in 2015, and to keep growing. As these intelligent, Internet-connected devices experience exponential growth, they provide a rich target for cyber criminals. Based on research from Intel Security’s McAfee Labs and our partners, 90% of these devices collect at least one piece of personal information, 80% have weak password protection, and 70% have other security exposures. The wide variety of hardware and software modules that make up these devices makes securing each device a difficult task. To augment IoT device security, we will see an increase in network security and chip-based security solutions.
For governments and businesses, confidence in their Internet servers to store and serve data securely was hit hard in 2014, with a number of major vulnerabilities, including Heartbleed, Shellshock, and BERserk. Application vulnerabilities were on a declining trend from 2006 to 2011, but have climbed steadily since then and have now surpassed the previous peak. Unfortunately, some of these vulnerabilities are found in the malware isolation technique known as sandboxing, implemented by many popular applications. External or standalone sandboxes are containing these threats for now, but cyber criminals are exploring ways for their malware to escape those confines as well.
Cyber Espionage Poses Increased Threat
Possibly the greatest threat we have seen this year is the refinement of cyber espionage campaigns toward long-term intelligence gathering, made possible by sophisticated detection-avoidance tactics. Although this field is mostly the domain of nation-state actors for now, we expect that cyber criminals will study and emulate these techniques. The development and deployment costs of cyber espionage attacks will leave most cyber criminals in the smash-and-grab game. However, some companies with very valuable digital assets or significant enemies will find themselves the target of one or more of these sophisticated attacks, in which the goal is to gather intelligence over time and eventually sell it to the highest bidder.
These and other sophisticated threats have exposed the weakness of relying on multiple defenses that are disconnected from each other. Identifying and containing these attacks requires information sharing, data correlation, and human collaboration at all levels, from laptop malware scanners to enterprise firewalls, security operations centers, and even the security vendors themselves. At the FOCUS 14 security conference, for example, Intel Security demonstrated McAfee Threat Intelligence Exchange (TIE), which unifies and correlates threat data from global sources with local intelligence information to more quickly identify attacks and narrow the gap from initial encounter to containment.
We have also seen greater inter-company collaboration this past year, with more to come. Intel Security, Symantec, Fortinet, and Palo Alto Networks co-founded the Cyber Threat Alliance, a group of security vendors committed to quickly sharing information on zero-day vulnerabilities, advanced persistent threats, and indicators of compromise, to improve defenses and better protect organizations and consumers. We have seen several collaborative, cross-border takedowns of criminal botnets, such as Operation Tovar. We expect to see more of this collaboration among vendors, government agencies, law enforcement, and academics in 2015, across competitive and political barriers, resulting in greater knowledge sharing and more takedowns of cyber criminals.
We have certainly not seen the last exploits of the high-severity vulnerabilities of 2014. Rebuilding trust and confidence will be a priority for 2015, but this means changing the security postures of many organizations. On the plus side, whether we are talking about physical or virtual security, as the threats and attacks increase, the defenses must adapt. Security on a chip will change the security paradigm for servers and endpoints, including mobile and IoT devices. Biometrics and password-management tools will address the weak link of user ID and password authentication. Data-analysis tools, fast threat intelligence sharing, and improved telemetry from security sensor devices will reduce the time to detection by building better reputation and behavior models.
The public has been reawakened to the risk of cyber threats by the very public and very meaningful security events of 2014. But as an industry, we are responding with stronger collaboration among products, vendors, and governments. These steps will go a long way toward restoring that lost trust.