Top 10 Cyber Security Predictions for 2014 and Beyond

first_imgCyber security is fraught with chaos, uncertainty and surprises. Insights into the future are a risky proposition, but they can be very valuable in preparing for the challenges ahead.  As part of my annual practice, I am dusting off the crystal ball and once again peering into the future of cyber security. My predictions for 2013Opens in a new window were illuminating and I intend on continuing the trend.Certain characteristics of security are as persistent as a metronome and will continue to hold true in the coming year. These are as easy to predict as gravity, and go without saying: malware will increase, vulnerabilities will be discovered, systems will be hacked, patches will be issued, fraud and loss will be rampant, stories will be sensationalized, victims will cry, attackers and defenders will become more skilled, and legislatures will demand action.Let’s venture a deeper look and go beyond those pedestrian predictions. For 2014 I postulate my prognostications on how threats will evolve, defenses improve, new battlefields emerge, business are affected, and how the general population will come to the self-realization that their choices affect digital security. These are in no particular order:Top 10 Security Predictions for 2014 and Beyond:1. Active defensive and offensive securityOpens in a new window continues to riseThe previously predicted cycles of offensive security will continue to unfold. Huge investments by large customers will fuel the market, driving commercial security and defense organizations to develop and offer new product and services. The talent pool is absorbed, which will both leave a void education institutions will race to fill, driving salaries upward. Across the world, government cyber capabilities will become more publicized and begin to be seen in the context of a necessity of escalation.Discussions, products, and services for “active defense” will become more commonplace in the media, drawing attention of the industry seeking better controls and more efficient ways to maximize security spending. Support functions such as forensics, investigations, and detection/response capabilities are going to be the first to mature.2. Expansion of financial targets, with attacks going deeper, faster, and with more complexityFinancial targets will expand well beyond banks and reach more deeply into ecommerce, crypto currencies, credit institutions, and end-user financial blackmail. Banks will continue to be under tremendous pressure from attackers seeking a big score. However, other supporting financial targets will also come under attack, such as retail point-of-sale (POS), large internet ecommerce systems, and credit institution infrastructures. Objectives will reach further than just theft, to include money laundering and covert currency transfers. Individuals will not be exempt as a rise in blackmail and ransomware will be a greater annoyance and drive investment in malware prevention and backup solutions for recovery.One of the most interesting trends we will witness will be the exploitation, theft, and misuse of crypto-currencies like Bitcoin and its competitors. These technology-based fiat currencies are relatively new to exist and very unstable. Dozens exist – Bitcoin is the most recognizable example – and more are sure to be created. They are not backed by any central organization or commodity and can simply be created through software and willing users. Such crypto-currencies are very volatile and many have imploded with no residual value for their owners. For the few which survive and gain acceptance, they may be used to purchase goods, services, and even other currencies around the globe. These digital bits can possess great value. Following the principles of Mr. Willie Sutton, an infamous bank robber of the 20’s, thieves go ”where the money is.”Opens in a new window This is howit has always been, as thieves gravitate to anything of value. Coupled with a high degree of anonymity, transportability, and difficulty of being taxed, crypto-currencies will be prized targets by attackers.3. Economic impacts of privacy and cyber-crime will be sufficient enough to influence policyBetter industry metrics and business modeling will help the industry quantify economic impacts of privacy and malicious cyber activities. Armed with such information, policies will be lobbied to protect businesses, markets, and interests. A rise in lobbyists and social groups will drive more legislative proposals in local, regional, and international political circles.Cloud and data virtualization, communication services, and data collection/aggregation will be at the forefront of the discussions. Consumer, enterprise, and government customers will be interested and impacted. Security exposure, marketing influence value, privacy impacts, geographic limitations, and an understanding of where and who has access to data will be pivotal in determining economic impact.4. The next battleground emerges, with Hardware and Firmware attacks becoming more prolificThe desire for more pervasive, stealthy, and resilient control by attackers will drive hardware- and firmware-based attacks to gain momentum and real exploits will be seen in the wild. Well-financed, talented, and dedicated teams (such as those by governments, organized cyber-criminals, and the next generation of researchers) will be best suited to address the difficulty, challenges and costs associated with this type of work.This will coincide with the emergence of new SoC’s as part of the Internet of Things (IoT) phenomenon and align with desires to compromise industrial environments (ex. SCADAOpens in a new window). Alternatively, better security controls and services will be developed for industrial environments, creating yet another area of escalation between attackers and defenders.The innovation companies will race to bring massive numbers of internet-connected devices (ex. appliances, wearables, vehicles, home automation, etc.) to market and as a result, the design and testing of security for those products will suffer. News of hacks will be commonplace shortly after release of product availability. Security will be considered an afterthought until companies see the value of proper design investment (via bad PR, lawsuits, loss of customer confidence) or emerging regulations force the matter.5. Security technology improves for some key areas, making compromise more difficultInvestments in security controls will reap benefits in other areas. Banking access and applications will become stronger, especially from mobile devices. Communications will be hardened for email, social postings, web browsing, instant messaging, IP phone calls, group chats, and video conferencing. Social media will get the double-sided benefit of more secure access, posting, and storage as well as the ability for patrons to contribute to sites in more anonymous and private ways.The industry will see improvements in tools and services for computer forensics, cyber investigations, and better detection/response capabilities. This will lead to the discovery of more, previously undetected breaches and therefore a rise in breach notification numbers.6. Attackers innovate and adapt at a significantly faster pace than security, maneuvering for greater overall opportunitiesA flood of investment, talent, and time will be spent looking for more vulnerabilities and ways to exploit the cyber world. Such competition will drive exploit markets, shrink the time of discovery, and drive an expansion of the types of systems being scrutinized. Attackers will move in-step with technology innovation and adoption. Emerging devices and security mechanisms will be quickly analyzed and dissected. Security will continue to struggle to keep up, and will likely fail more often.The value of quality exploits will rise. Both dark and open markets will provide the means to sell such knowledge for significant income.  The longstanding tradition of openly reporting such vulnerabilities for reputation gains, will give way to profit seekers selling to the highest bidder.7. Cloud will grow, but security concerns will drive more compartmentalization and controlsCloud and virtualization technologies in the datacenter will continue to grow and deliver strong economic and service delivery benefits but newfound emphasis on security will drive changes to architecture, physical deployments, and control attestation. Regulatory and customer privacy concerns will invoke restrictions on data’s geographical location. Physical and advanced logical isolation controls will gain popularity to limit the risk of data hemorrhaging across different customers, services, and administrators. Customers will want assurance that their workloads are more compartmentalized and secure. We may even see the emergence of more private Internets.8. Rise in individual and small and medium business (SMB) attacks, due to automation and economies of scale for attacksSMB’s and individuals have always been targeted, mostly due to the typical lack of security and ease of compromise. It has been a problem, but traditionally most attackers seek higher value targets. The low value of SMBs and individuals greatly limit their desirability for attackers, who are lured toward attacking fewer targets with the potential of much bigger returns. For a long time, large organizations weren’t terribly secure, but over the years they have been closing vulnerabilities and improving security practices. The tipping point is approaching this year where through the use of advanced automation it becomes economical to expand the tactics. Automation techniques have advanced to include both the initial compromise as well as taking access to information and turning it into money for the attacker. Attackers will diversify to include compromising many smaller easy targets instead of just a few larger more protected ones.9. Regulations and industry standards continue to evolve in a fragmented way and will remain confusing and difficult to followThe calls for more regulations and controls, sometimes focused on limiting what governments can do, are increasing. The concerns for weak critical infrastructures and regulated environments, such as healthcare and finance, continue to spawn legislative proposals for more laws and standards. Many of these originate in sub-national bodies and rarely attain a common agreement at the international levels. Without coordinated focus, such efforts are highly fragmented and specific to the regional needs. Resulting complexity makes it very difficult for businesses to understand nuances and put reasonable controls in place to meet all the demands. Consequently, it fosters situations ripe for lawsuits, injunctions, and non-compliance findings, adding pain to frustration.10. Rise in social self-awareness for security. People realize behavioral cause-and-effect “We are victims of our own desires…”People are an integral part of security and our behaviors are one of the most important aspects. However, psychologically, most people defer the responsibility of security to other entities such as product manufacturers, software vendors, service owners, law enforcement, or system administrators. It has been a long road, but this year I predict society will begin to look inward and realize they have tremendous control over their security and it is their actions which fuel the cause-and-effect cycle.Our desires for convenience, social communication, entertainment, and profit are driving dangerous actions that lead to compromise and loss. People will begin to act with more forethought, will consider risks more carefully, and will weigh options when it comes to their digital lives. It could be a watershed moment for the security industry.There you have it – my top 10 predictions for 2014. If you want to evaluate my crystal ball reading ability, take a look at my 2013 predictions and decide if I am worthy. Come back in December and we can celebrate together or you can berate me mercilessly. Either way, it should be a fun and interesting 12 months.Matthew Rosenquist is an information security strategist, with a passion for his chosen profession. Benefiting from nearly 20 years of experience in Fortune 100 corporations, he has thrived on establishing strategic organizations and capabilities which deliver cost effective information security services.Meet him in person at The Arizona Technology Council Cybersecurity SummitOpens in a new window on May 7thin ScottsdaleFind him on LinkedinOpens in a new windowFollow him on Twitter (@Matt_Rosenquist)Follow his blog at Information Security StrategyOpens in a new windowCheck out his previous posts and discussionslast_img

Leave a Reply

Your email address will not be published. Required fields are marked *