Top 10 issues in IT security for 2014

Share this article:

facebook

twitter

linkedin

google

From banking hacks and malicious mobile apps to insider leaks and a
serious data breach each month, 2014 promises to a challenging year for
CISOs.

Top 10 issues in IT security for 2014

From banking hacks and malicious mobile apps to insider leaks, 2014 promises to an
interesting but challenging year for CISOs. Here, SCMagazineUK.com looks at the
issues coming into view.
1. Insider threat isn't going away
Former CIA contractor Edward Snowden may be holed up in Russia but his influence
over the IT security sector is still tangible, casting a shaddow over 2014.
That's especially true in the corporate world, with large organisations fearful that their
own employees could readily leak data to unauthorised, outside sources.
"Companies should know who they are giving their data to and how it is being
protected," said Tim Ryan, managing director and cyber investigations practice leader at
US-based risk mitigation and response firmKroll. "This requires technical, procedural
and legal reviews."
Ryan suggests that the insider threat is still very real and believes that there may be
others like Snowden across a range of organisations.

There's a tremendous amount of data compromised today where the act is never
discovered or disclosed.
"People discount the insider threat because it doesn't make the news. The insider threat
is insidious and complex. Thwarting it requires collaboration by general counsel,
information security, and human resources."
Malcolm Marshall, UK and global leader of the KPMG Information Protection and
Business Resilience team, added that the insider threat could, however, boost Internet
privacy.
Snowden's revelations have triggered a privacy debate which will continue to rage in
2014, Marshall toldSCMagazineUK.com. Expect more disclosures, more calls for
greater transparency over government actions, and more efforts by the Internet giants to
persuade customers that their data is secure.
2. Cyber attacks, including government-sponsored, continue; education and
standards prioritised
Government states are stepping up their cyber efforts all over the world, both for
offensive and defensive purposes. As just such an example, North Korea reportedly
spent some 470 million on a wave of cyber attacks against South Korea between
March and June 2013.
2014 will see a continuation of these kinds of efforts, especially with companies and
governments increasingly understanding the full repercussions of a cyber attack. Some
will even reportedly carry out state-sponsored attacks.
Within the next couple of years, we will experience an increasing number of cyber
attacks resulting in militaristic and economic damage, said Jarno Limnell, director of
cyber security at Stonesoft, when speaking to SCMagazineUK.com.
As states compete to become credible world players we can expect to see further
announcements by various states regarding their offensive and defensive strategies.
Cyber is the new battlefield, and the fifth element of warfare. As such, it's likely that
future conflicts will involve cyber battles and because of this, states will be - and already
are - pouring a huge range of resources into developing defence and offence capabilities
for cyber war.
Limnell added that cyber security education will come into focus in 2014, while KPMG's
John Marshall believes that the cyber security threat will see the introduction of voluntary
compliance.

As governments worry about the scale of the cyber security threat, we can expect to
see more national standards emerge, and greater pressure for voluntary compliance,
he said.
The US NIST cyber security framework and the UK government's kitemark' are just two
examples. On the back of emerging standards we will see the cyber insurance market
develop and begin to provide market incentives for compliance, whether that is a
willingness to insure or reduce premiums. Non-compliance will also lead to a legal
debate over liability for incidents.
3. Enterprises deploy faster response and recovery solutions
Kroll managing director and Cyber Investigations practice leader Tim Ryan says that
companies will look for technology solutions that enable them to react to issues faster
than ever before in 2014.
"We've seen a dramatic improvement in response technology over the last year," says
Ryan. "Companies have never had a better opportunity to enhance their existing
protocols with a methodology that can mean an informed and timely response."
"Companies will gain a better understanding of their actual breach risks, how the breach
could actually affect their customers, and the best way to remedy those specific risks
and provide better protection to affected customers," he adds.
4. 'Social' the new frontier for cyber crime
Cyber criminals will increasingly attack social platforms in 2014.
We predict many of the cyber crime tactics that are successful when targeting social
networking users will be applied in new, innovative ways within professional social
networks, reads a forecast report from Websense. Indeed, other studies suggest that
the frequency of cyber attacks will be so common that consumers will face data breach
fatigue, meaning they'll be less likely to protect themselves.
Websense cited one example of a fake LinkedIn user pinpointing users for an upcoming
phishing campaign, and said that attackers lure in execs by sending messages with
innocuous titles like Invitation to connect on LinkedIn and Dear customer.
5. DDoS attacks get even bigger but Botnets stick around
Distributed denial of service (DDoS) attacks were a big deal in 2013 and could be even
more prominent in 2014 NASDAQ temporarily went down as a result of an attack in
August, while Dutch web hosting company CyberBunker caused a global disruption of
the World Wide Web with a massive DDoS attack of its own.

If that wasn't bad enough, one study from Corero reveals that most organisations lack an
appropriate DDoS response plan, and security experts now warn that the severity of
these attacks could get worse over the next 12 months.
One thing that I have noticed over the past year is that almost all successful DDoS
attacks have had massive traffic volumes associated with them, Joakim Sundberg,
security solution architect at F5 Networks, told SCMagazineUK.com. However, these
attacks have not been very smart and volumetric scrubbing, combined with access
control, has, in most cases, solved the problems. Volume, as an attack vector itself, will
become less relevant as time goes on.
Instead, I see two main themes emerging. Firstly, over the next 12 months I believe we
will see hackers developing more intelligent tools that are capable of adapting to and
using the weaknesses in the protection systems of specific targets. Secondly, we will
start to see underground organisations refining the user credentials stolen from
platforms like Facebook, Gmail and Twitter. There is a huge opportunity for hackers to
use stolen passwords in their attacks provided they can be put in the right context.
These smarter, more targeted DDoS attacks which leverage context and refined user
credentials for specific DDoS campaigns will be a lot more commonplace in 2014.
Sophos global head of security research James Lyne believes that botnets still curry
favour with cyber criminals.
I know we're talking about stealthier APTs but that doesn't eradicate the threat of the old
botnet adversary, he told SCMagazineUK.com, before adding the ensuing visibility of
ZeroAccess, botnet payloads and other botnets that can do everything from mining
bitcoins to credit card fraud, is something that needs monitoring.
In the middle of 2013, there was a dip in ZeroAccess botnets, after a sinkhole traffic
effort across the whole industry, said Lyne. But after a short period of time the attacks
were stronger than before the action was taken.
Lyne says that hackers are now squaring up to businesses, something he puts down to
greater skills and more tools.
They've designed their infrastructure to make [their botnet] immune from sinkhole
attacks and moved around the static [security] infrastructure.
The average cyber criminal has upped their skill level or gained access to new and
better tools. In 2014, there will be more players, more competition and more innovation.
The quality [of attacks] is going to increase.

6. Android to see a malware explosion

Google's Android is a constant concern as far as security is concerned, but Lyne thinks
that the threats will get worse in 2014.
In 2013, we've seen a set of cyber trends that are now beginning to take off, he said.
There are now more malware attacks, and they're actually challenging to deal with,
Lyne told SCMagazineUK.com.
Now, apps are encrypted to command and control (C&C) as used in the PC world and
detection is more difficult. That's actually starting now.
Lyne urged businesses to put employees on awareness training, employ basic
configuration to enforce encryption and restrict downloads to being only from trusted app
stores, as well as forcing encryption. He added that firms should have a good hard look
at anti-malware and anti-virus solutions.
7. Internet of Things extends threats to 'dumb' platforms
Internet of Things is a hot new term which describes how devices are interconnected via
the internet, but it will be under the microscope as far as security is concerned in 2014.
You can expect dumb things will get smarter in 2014, writes Symantec researcher
Kevin Haley.
With millions of devices connected to the Internetand in many cases running an
embedded operating systemin 2014, they will become a magnet for hackers. Security
researchers have already demonstrated attacks against smart televisions, medical
equipment and security cameras. Already we've seen baby monitors attacked and traffic
was shut down on a major tunnel in Israel, reportedly due to hackers accessing
computer systems via a security camera system.
Major software vendors have figured out how to notify customers and get patches for
vulnerabilities to them. The companies building gadgets that connect to the Internet don't
even realise they have an oncoming security problem.
He added that these systems are not just vulnerable to attacks, but also have little way
of notifying consumers and businesses when they are discovered.

8. Consumer products penetrate the perimeter, boost demand for security

protection
The increasing deluge of smartphones, tablets and other devices into businesses may
be improving employee productivity, but they represent a very real and growing
security risk.
The security perimeter is a more penetrable boundary and cyber criminals can take
advantage of multiple attack vectors to gain access to a company's network, said Sam
Maccherola, VP of sales and general manager for EMEA at Guidance Software, in an
interview with SCMagazineUK.com.
These points of vulnerability - mobile devices, USB drives and Bluetooth speakers - will
multiply through next year, making it difficult for organisations to keep track of all
the different entry points.
Just as cybercriminals will exploit the increasing consumerisation of IT, as part of the
fight back we're likely to see organisations focused on the extension of security
protection to non-corporate owned devices to shore up their defences."
We will see an increased volume of malware targeting hardware with cybercriminals
attacking beneath the operating system. The entry route to infect the network could be
mobile devices as cybercriminals use smart phones or USB devices to gain access to
PCs via Wi-Fi."

Banks continue to be susceptible to advanced persistent threats (APTs), as well as Manin-the-Middle attacks which make two-step verification measures inadequate.
9. Regional clouds proliferate
Perhaps unsurprisingly in light of the National Security Agency (NSA) tapping data
centres and cloud storage providers in the US, security analysts foresee the rise of
regional cloud centres.
Writing for Microsoft's official blog, Trustworthy Computing director Jeff Jones said that
this represents an opportunity for vendors.
In the wake of heightened concerns about unauthorised access to data, we will see the
emergence and broad promotion of regional cloud service offerings, wrote Jones.
The increased sensitivity to both legal data access and intelligence monitoring will be
seen as a market opportunity that will be actioned in two ways start-ups and existing
providers.
Regional start-ups will see a new opportunity to compete against global providers, while
existing providers will develop and offer services delivered from regionally-based data
centres in an effort to allay concerns and provide increased customer choice.
10. Criminals prey on Windows XP vulnerabilities
Microsoft is dropping support for Windows XP in April 2014, and that means no more
patches and probably a lot more cyber attacks.
Once Microsoft halts support of [Windows] XP, companies running the OS will not only
be faced with huge custom support costs, but will also expand their attack vector,
becoming potential targets for new malware and vulnerabilities targeting unpatched
systems, blogged Avecto's Andrew Avenessian.
The coming end of support for Windows XP combined with Java 6 (which is already out
of support) and the issue of how broadly these legacy platforms are deployed means we
are likely looking at the largest number of un-patched and attackable vulnerabilities in
history, wrote Trend Micro's Christopher Budd on ablog post, adding that 20 percent of
PCs still run the dated operating system. Just as concerning, most ATMs have yet to
transition away from XP.
If that doesn't describe a perfect storm, I don't know what does, concludes Budd.