Predicting Future Security Threats is a Risky Business
Independent data security expert Graham Cluley reviews computer security stories of 2014 and makes his predictions about threats coming in 2015.
19 March 2015
Events cast shadows before them, but the huger shadows creep over us unseen.
If recent events have taught us anything, they should have drummed into us that we need to be wary of predicting future security threats.
After all, it's clear that the threats we need to worry about the most are the ones that aren't predicted, which leap upon us out of nowhere, taking us by surprise.
Who, for instance, would have predicted the Heartbleed bug?
That vulnerability, at the heart of billions of supposedly SSL-secured communications made every day, must have caused many IT managers to bust a blood vessel, worrying about whether their web servers were vulnerable, and putting the data of millions of users at risk.
The Heartbleed bug first sneaked into the code of OpenSSL version 1.0.1, released on April 19th, 2012, and sat there, unnoticed for over two years, waiting for the first person to discover it and use it to rip apart the privacy of businesses and consumers around the world.
No-one could have predicted it.
Similarly, no-one predicted (and boy, there was plenty of time!) the Shellshock vulnerability.
Shellshock (also known as the Bash bug) was a vulnerability in the Bash command shell software found at the heart of Unix-based systems such as OS X, and practically every Linux, Unix and BSD distribution. Even if you weren't running one of those operating systems, it was possible that you have software running on your computer which spawns Bash processes.
And those processes could be exploited, and your systems hijacked, by an attacker on the other side of the world.
There's only one thing that was more astonishing than the Shellshock vulnerability having existed in Bash since 1989, and that's the fact that it wasn't discovered until 2014.
For 25 years it went unnoticed, and unpredicted, despite the "many eyes" which could have looked closely at its open source code.
And then, because of that extraordinary oversight, malicious hackers exploited the flaw to spread malware, open backdoors, and launch denial-of-service attacks.
And then there was the amusingly-monikered POODLE attack — not as dangerous as Shellshock or Heartbleed, but still a security concern ... and one that had been existence for some 18 years without anyone noticing or predicting a problem.
Finally, in the last week or so, we have all been running around ensuring that our systems are patched against the FREAK vulnerability — a problem brought about by U.S. authorities deliberately weakening encryption products in the 1990s.
Maybe we should have predicted that the intentional banning of strong encryption would come back to hurt us, but I don't think anyone saw that particular bug coming.
Security and Privacy Predictions for 2015
I had this in mind when Intralinks recently invited me to give a webinar discussing what security threats and privacy dangers might rear their head in the coming months.
The cloud, naturally, plays a big part.
As companies and users come to rely ever more upon online services, such as cloud syncing and storage, web mail, and social media, they worry whether enough is being done to defend against attackers, with layered defenses (such as two-factor authentication) to make successful breaches trickier to pull off.
Other predictions are easy too:
- More targeted attacks against corporations
- Serious breaches at retailers through the exploitation of point-of-sale terminals to steal customers' payment card details
- More revelations of state-sponsored espionage, and how employees bringing consumer technology into the corporate workplace can put business data at risk
The time has never been better to review whether your company has the right systems, enforceable security procedures, and processes in place to feel confident its data is being properly secured, to determine if you have weak password policies, to ensure that sensitive information is being securely encrypted, and that there are tight controls over who can access it.
We may not be able to accurately predict all threats, and we may not know what's hiding around the next corner, but we can make sure that we are aware of the trends and the direction things are moving in.