Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/9/2014
10:55 AM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

2014: The Year of Shaken Trust

We can rebuild that trust.

Trust was probably the biggest casualty of the past year in security. Consumers were confronted with multiple thefts or exposure of their personal information, from credit cards to healthcare to social networks. Businesses had their confidence shaken with the discovery of significant code vulnerabilities in widely used software. National and local governments inadvertently exposed personal information about citizens.

In the long term, we’re going to have to deliver an e-commerce model in which security is built-in by design, seamlessly integrated into every device at every layer of the computing stack. In the short term, CEOs will be (and have been) called to testify before Congress, CxOs will lose their jobs, and the industry will focus on breach detection and response. There will continue to be consequencesfor getting security and privacy wrong. If organizations fail to protect our information, governments will increase the scope of rules and regulations, as well as the severity of punishment.

Consumer credit-card information continues to be a valuable target in the United States, where cards with magnetic stripes are still in common use and easier to hack than chip-and-pin cards. The growing use of digital wallets is increasing the credit-card attack surface. However, attacking point-of-sale systems is just the tip of the iceberg. We expect the number of devices on the Internet of Things (IoT) to surpass the number of mobile devices sometime in 2015, and to keep growing. As these intelligent, Internet-connected devices experience exponential growth, they provide a rich target for cyber criminals. Based on research from Intel Security’s McAfee Labs and our partners, 90% of these devices collect at least one piece of personal information, 80% have weak password protection, and 70% have other security exposures. The wide variety of hardware and software modules that make up these devices makes securing each device a difficult task. To augment IoT device security, we will see an increase in network security and chip-based security solutions.

For governments and businesses, confidence in their Internet servers to store and serve data securely was hit hard in 2014, with a number of major vulnerabilities, including Heartbleed, Shellshock, and BERserk. Application vulnerabilities were on a declining trend from 2006 to 2011, but have climbed steadily since then and have now surpassed the previous peak. Unfortunately, some of these vulnerabilities are found in the malware isolation technique known as sandboxing, implemented by many popular applications. External or standalone sandboxes are containing these threats for now, but cyber criminals are exploring ways for their malware to escape those confines as well.

Cyber Espionage Poses Increased Threat

Possibly the greatest threat we have seen this year is the refinement of cyber espionage campaigns toward long-term intelligence gathering, made possible by sophisticated detection-avoidance tactics. Although this field is mostly the domain of nation-state actors for now, we expect that cyber criminals will study and emulate these techniques. The development and deployment costs of cyber espionage attacks will leave most cyber criminals in the smash-and-grab game. However, some companies with very valuable digital assets or significant enemies will find themselves the target of one or more of these sophisticated attacks, in which the goal is to gather intelligence over time and eventually sell it to the highest bidder.

These and other sophisticated threats have exposed the weakness of relying on multiple defenses that are disconnected from each other. Identifying and containing these attacks requires information sharing, data correlation, and human collaboration at all levels, from laptop malware scanners to enterprise firewalls, security operations centers, and even the security vendors themselves. At the FOCUS 14 security conference, for example, Intel Security demonstrated McAfee Threat Intelligence Exchange (TIE), which unifies and correlates threat data from global sources with local intelligence information to more quickly identify attacks and narrow the gap from initial encounter to containment.

We have also seen greater inter-company collaboration this past year, with more to come. Intel Security, Symantec, Fortinet, and Palo Alto Networks co-founded the Cyber Threat Alliance, a group of security vendors committed to quickly sharing information on zero-day vulnerabilities, advanced persistent threats, and indicators of compromise, to improve defenses and better protect organizations and consumers. We have seen several collaborative, cross-border takedowns of criminal botnets, such as Operation Tovar. We expect to see more of this collaboration among vendors, government agencies, law enforcement, and academics in 2015, across competitive and political barriers, resulting in greater knowledge sharing and more takedowns of cyber criminals.

We have certainly not seen the last exploits of the high-severity vulnerabilities of 2014. Rebuilding trust and confidence will be a priority for 2015, but this means changing the security postures of many organizations. On the plus side, whether we are talking about physical or virtual security, as the threats and attacks increase, the defenses must adapt. Security on a chip will change the security paradigm for servers and endpoints, including mobile and IoT devices. Biometrics and password-management tools will address the weak link of user ID and password authentication. Data-analysis tools, fast threat intelligence sharing, and improved telemetry from security sensor devices will reduce the time to detection by building better reputation and behavior models.

The public has been reawakened to the risk of cyber threats by the very public and very meaningful security events of 2014. But as an industry, we are responding with stronger collaboration among products, vendors, and governments. These steps will go a long way toward restoring that lost trust.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
12/9/2014 | 2:02:45 PM
"shaken" ?
"skaken" trust ?

better written as shattered trust.   the Snowden affair followed by the 60 minutes expose on PCI fraud has finished the job.   we have to fire the coach and the manager and get new help in here .
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.