In the last 3 years, we all have failed in our predictions. The year 2013 started off with major DDoS attacks, something no one saw coming even though we knew hackers had been building up such capabilities in the years prior. This year, we set a new record for the number of data breaches and the number of user identities compromised.
But what will transpire in 2015?
Let me attempt one prediction. The adoption of open source and Linux-based systems seems to have reached a point of no return. Apparently, at least 50% of the Internet uses Linux. When the BASH vulnerability (Shellshock) was announced in August, it was clear this was a big issue simply because of the number of systems that use Linux, especially those that run web servers.
Free eBook: Modern Retail Security Risk – Get your copy now.
But this wasn’t the only one; we also ran into some other major issues. We’ve discovered that the SSL protocol, which we have used for so many years, is flawed, and as we adopt different technologies that veer away from Microsoft, at least for certain aspects of IT, we find that other systems are flawed as well. Here we are running into an entirely new issue: who’s maintaining those systems?
I’m not a fan of MS by any means, but there’s indeed a difference here. After all, when MS recognizes a vulnerability, they patch it before they announce it. In the open source world, however, there’s no one responsible for such a process. Therefore, the vulnerability is announced before you even have a chance to figure out how to protect yourself. This creates a nice advantage for hackers (as if they needed another one), leaving vulnerable, unpatched systems ripe for the picking.
So where’s the prediction, you ask?
Simple – the more we use Linux and open source, the more vulnerabilities we will unearth, and the more issues that will arise. In 2015, it’s likely we’ll see more such vulnerabilities and be scrambling to fix them.
On a similar note, the announcement that SSL is inherently flawed isn’t to be underestimated. SSL is THE protocol of choice for encryption in a very large part of the internet. TLS is gaining traction, but SSL is still predominantly used by companies. In many cases, moving away from SSL means updating systems that cannot easily be updated. So I don’t foresee SSL disappearing magically.On the contrary, I think many people will continue using it, most of them even unaware of the issues, which will cause many of these systems to fall prey to hackers.
Adding on, the new high level domains aren’t being handled in the same way as the original root domains (.com, .org, edu, .gov, .mil and so forth). Each day, new high level domains are being announced. However, the registrars who handle them aren’t forthcoming about the “whois,” so anti-spam for emails from these domains could be a problem. And with the diffusion of more spam, more malware will come into being as well.
On a completely separate note, it’d be nice if we could, once and for all, understand the schizophrenic relationship we have with China.
On the one hand, our President flies there to sign a treaty to reduce CO2 emissions; on the other, the same administration tells us that Chinese entities likely backed by the government are carrying on cyber attacks against our national interests. So, are we in a sort of cyberwar with China that is undeclared and, for the most part, ignored?
It’d be nice if we, the people, could understand what’s really going on here and why we keep such close ties with someone who has allegedly declared a cyberwar against us.
The fact that it’s “cyber” and that no one has (yet) died as a result thereof doesn’t make it any less dangerous. This isn’t a prediction though. It’s just a hope that things will become at least a little clearer, for I think I can speak for many of us when I say, “I am quite confused as to what’s going on here”.
By Pierluigi Stella, Chief Technology Officer, Network Box USA
Bio: After 15 years at IBM, Pierluigi Stella co-founded Network Box USA in 2003. As CTO, he has extensive knowledge of security issues with emphases on the financial; banking; hospitality and travel; healthcare; and education sectors.
Stella has been featured in SC Magazine; USA Today; LATimes.com, Dark Reading; NYTimes.com; Tech News World; Better Banks System; PC Mag; Communications News; PC Today; CU Times; and Tech Port. He is a frequent Featured Expert Contributor on CUinsight.com and has also been profiled in the Houston Business Journal as well as Houston Public Radio. A regular sight at premiere trade shows and industry conferences, he has presented, among others, at the ISACA/IAOP 2011 Risk Management & Data Security World Conference in Denver.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.