Not many people in IT security will dispute that 2014 has been the Year of the Data Breach. Cyberattacks, whether through nation-state orchestrated intrusions or insider threats, were in the headlines non-stop this year. We are now at a point where we’ve seen so many retail breaches involving credit cards that a majority of consumers have actually become indifferent about being victims of fraud.
Free eBook: Modern Retail Security Risk – Get your copy now.
If 2014 was all about the exposure of security flaws in business infrastructure, user behavior and applications, then 2015 needs to be about how the IT security community responds to those flaws. How we rise to the challenge, assess the risks, prioritize prevention and mitigation, and better educate our employees about how bad user practices affect the bottom line will be as critical as the tools we use to ensure network security moving forward. And that starts with looking at what’s on the horizon.
What can we expect in 2015? Buckle up — I have a few thoughts.
The Password Must Evolve or Die
At the core of many of 2014 ‘s most high-profile cyberattacks were stolen passwords. Whether it was hackers stealing passwords to break into private iCloud accounts belonging to celebrities, or nation-state attacks involving abuse of passwords to gain access to JPMorgan Chase’s network, exposing the data of 76 million consumers, one thing is clear: If there is any hope of security staying alive, the password as we know it must go away, and evolve into something else that is less vulnerable. The security community has already received our first red flag about this shift. In early December, in response to the escalating avalanche of stolen credentials and data breaches, the Fast Identity Online (FIDO) Alliance released its long-awaited, upgraded specifications for password-free and multifactor authentication systems.
Technology such as Single Sign-on (SSO) and multifactor authentication are already changing the way passwords are handled in organizations of all sizes, but biometrics and other forms of authentication will continue to take hold as companies look to keep their data secure in the face of an ever-evolving threat landscape.
The NSA: Inventing New Ways to Access Your Data in 2015
In November 2014, the U.S. Senate failed to pass a bill known as the USA Freedom Act intended to halt the NSA’s practice of collecting and storing metadata from Americans’ phone calls — a program revealed by former government contractor Edward Snowden. In a recent Pew Research Center poll, more than 70% of adults said they are concerned that the government may be accessing personal information from their social networking sites without their knowledge. But despite that concern, and whatever comes next from Congress, the NSA won’t be giving up its power anytime soon. In 2015, regardless of further legislation reform, the NSA will continue to operate outside the scope of law and constitution. Organizations should assume that none of their data stored in the cloud is private, especially if it’s housed on third-party servers.
Snowden – The Worst is Yet to Come
Speaking of Snowden, don’t think for a second that we’ve heard the last of him. Just when the government and security practitioners thought the Snowden scandal had finally blown over, the fugitive former IT contractor was back in 2014 – first, with a bombshell cover story in WIRED, and then, with a few surprise appearances via satellite at major tech industry conferences. In 2015 he’ll reveal even more NSA secrets. We’ve only seen a small sample of what he was able to access during his time there. Not even the NSA itself is sure of what’s been compromised. He’s not done.
Nation-State Crypto-Wars Heat Up in 2015
Russia. China. Syria. Iran. And most recently, North Korea (possibly). In 2014, we saw example after example of nation-state cyberattacks commissioned by government-sponsored shadow entities, each one more targeted and sophisticated than the last. Whether it’s intrusions on the White House, the US Postal Service, or large national healthcare organizations, there’s no denying we’re in the midst of several cold wars being fought under cover of the Internet.
NSA Director Admiral Michael Rogers warned Congress in 2014 that a major cyberattack is, “Only a matter of the ‘when,’ not the ‘if,’” and that “We are going to see something dramatic” when it happens. At the federal level, we’re not going to see a serious initiative on data security until someone loses their life as a result of these cyberattacks between nation-states. Whether it’s a SmartGrid attack or the exposure of a government-maintained witness protection program database or worse, there will be a catastrophic event in 2015 that will force all of this to come to a head, and both the government and the private sector will have no choice but to take action.
The Insider Threat Roars Back
With so much focus in 2014 on external hackers, especially nation-state attacks on national assets, enterprise IT security personnel might be lulled into a false sense of security regarding the activities and behaviors of enterprise employees. It’s that lowering of defenses that will make it all too easy for insiders to help themselves to corporate secrets. In 2015, we’ll see a spike in so-called “insider threat” activity at large enterprises, healthcare organizations and government agencies. This will be a mix of disgruntled or curious employees, and just plain bad security practices, from the top down.
There you have it: the IT security architect’s vision of 2015. Regardless of how these predictions come to fruition, it’s on the security community to be prepared and take the necessary steps to make 2015 better than 2014. There’s nowhere to go but forward.
By Kevin Jones, Senior Information Security Architect, Thycotic Software
Bio: Kevin Jones is the senior information security architect for Thycotic, a Washington, D.C.-based provider of password security management solutions for organizations. A Microsoft MVP, Kevin has been a featured presenter at numerous IT and security events including IANS Forums, ISSA, ISACA and software development clinics.
