Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/9/2014
10:55 AM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

2014: The Year of Shaken Trust

We can rebuild that trust.

Trust was probably the biggest casualty of the past year in security. Consumers were confronted with multiple thefts or exposure of their personal information, from credit cards to healthcare to social networks. Businesses had their confidence shaken with the discovery of significant code vulnerabilities in widely used software. National and local governments inadvertently exposed personal information about citizens.

In the long term, we’re going to have to deliver an e-commerce model in which security is built-in by design, seamlessly integrated into every device at every layer of the computing stack. In the short term, CEOs will be (and have been) called to testify before Congress, CxOs will lose their jobs, and the industry will focus on breach detection and response. There will continue to be consequencesfor getting security and privacy wrong. If organizations fail to protect our information, governments will increase the scope of rules and regulations, as well as the severity of punishment.

Consumer credit-card information continues to be a valuable target in the United States, where cards with magnetic stripes are still in common use and easier to hack than chip-and-pin cards. The growing use of digital wallets is increasing the credit-card attack surface. However, attacking point-of-sale systems is just the tip of the iceberg. We expect the number of devices on the Internet of Things (IoT) to surpass the number of mobile devices sometime in 2015, and to keep growing. As these intelligent, Internet-connected devices experience exponential growth, they provide a rich target for cyber criminals. Based on research from Intel Security’s McAfee Labs and our partners, 90% of these devices collect at least one piece of personal information, 80% have weak password protection, and 70% have other security exposures. The wide variety of hardware and software modules that make up these devices makes securing each device a difficult task. To augment IoT device security, we will see an increase in network security and chip-based security solutions.

For governments and businesses, confidence in their Internet servers to store and serve data securely was hit hard in 2014, with a number of major vulnerabilities, including Heartbleed, Shellshock, and BERserk. Application vulnerabilities were on a declining trend from 2006 to 2011, but have climbed steadily since then and have now surpassed the previous peak. Unfortunately, some of these vulnerabilities are found in the malware isolation technique known as sandboxing, implemented by many popular applications. External or standalone sandboxes are containing these threats for now, but cyber criminals are exploring ways for their malware to escape those confines as well.

Cyber Espionage Poses Increased Threat

Possibly the greatest threat we have seen this year is the refinement of cyber espionage campaigns toward long-term intelligence gathering, made possible by sophisticated detection-avoidance tactics. Although this field is mostly the domain of nation-state actors for now, we expect that cyber criminals will study and emulate these techniques. The development and deployment costs of cyber espionage attacks will leave most cyber criminals in the smash-and-grab game. However, some companies with very valuable digital assets or significant enemies will find themselves the target of one or more of these sophisticated attacks, in which the goal is to gather intelligence over time and eventually sell it to the highest bidder.

These and other sophisticated threats have exposed the weakness of relying on multiple defenses that are disconnected from each other. Identifying and containing these attacks requires information sharing, data correlation, and human collaboration at all levels, from laptop malware scanners to enterprise firewalls, security operations centers, and even the security vendors themselves. At the FOCUS 14 security conference, for example, Intel Security demonstrated McAfee Threat Intelligence Exchange (TIE), which unifies and correlates threat data from global sources with local intelligence information to more quickly identify attacks and narrow the gap from initial encounter to containment.

We have also seen greater inter-company collaboration this past year, with more to come. Intel Security, Symantec, Fortinet, and Palo Alto Networks co-founded the Cyber Threat Alliance, a group of security vendors committed to quickly sharing information on zero-day vulnerabilities, advanced persistent threats, and indicators of compromise, to improve defenses and better protect organizations and consumers. We have seen several collaborative, cross-border takedowns of criminal botnets, such as Operation Tovar. We expect to see more of this collaboration among vendors, government agencies, law enforcement, and academics in 2015, across competitive and political barriers, resulting in greater knowledge sharing and more takedowns of cyber criminals.

We have certainly not seen the last exploits of the high-severity vulnerabilities of 2014. Rebuilding trust and confidence will be a priority for 2015, but this means changing the security postures of many organizations. On the plus side, whether we are talking about physical or virtual security, as the threats and attacks increase, the defenses must adapt. Security on a chip will change the security paradigm for servers and endpoints, including mobile and IoT devices. Biometrics and password-management tools will address the weak link of user ID and password authentication. Data-analysis tools, fast threat intelligence sharing, and improved telemetry from security sensor devices will reduce the time to detection by building better reputation and behavior models.

The public has been reawakened to the risk of cyber threats by the very public and very meaningful security events of 2014. But as an industry, we are responding with stronger collaboration among products, vendors, and governments. These steps will go a long way toward restoring that lost trust.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
12/9/2014 | 2:02:45 PM
"shaken" ?
"skaken" trust ?

better written as shattered trust.   the Snowden affair followed by the 60 minutes expose on PCI fraud has finished the job.   we have to fire the coach and the manager and get new help in here .
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...