Security breaches made international headlines in 2014, and efforts are being made by product developers and IT managers to prevent history from repeating itself. But as one side gets smart, the other gets smarter.
Mark Painter, product marketing manager for the Fortify division of HP Enterprise Security Products takes a look into his crystal ball to share his security predictions for 2015.
IT in Canada: Experts have said that 2014 was the year of the security breach. What will be done to prevent these issues from reoccurring?
Painter: First and foremost, there’s a shift in both resources and thinking that needs to take place where we stop trying to block every single attack to doing a better job of detecting when those attacks occur and then shutting them down in real time to limit what damage they cause.
Right now, the attackers can change their tactics far faster than the security industry can respond. The simple truth is that every attack can’t be blocked, yet that’s still where organizations spend most of their limited resources. So until that shifts, we’re going to see more of the same.
ITIC: You mentioned in a blog post that “things will get worse before getting better.” Why is this?
MP: It’s getting easier for attackers to perpetrate attacks, and harder to defend against them, and that’s been happening for years. According to HP’s Cost of Cyber Crime Report for 2014, the number of successful attacks per week has nearly tripled since 2010. The average time it takes to resolve a cyber attack is also rising, climbing to 45 days, up from 32 days in 2013.
One reason the trend will continue is that the tools, information, and talent required to conduct successful attacks are all for sale. Attackers are far better at sharing information than the good guys are, so when a new attack is discovered, hackers are instantly aware of it and looking to exploit it. They’re far more professional and organized than we give them credit for. You know when malware comes with customer service options that we’re living in a different era.
A second and related problem is that security just keeps getting more complicated. Just consider how the Internet of Things impacts security. Suddenly, you’ve got all these new access points, a lot of them never designed with any sort of security in mind. The potential attack surface is going to grow exponentially in the very near future.
ITIC: It’s been said that hackers are getting smarter with their techniques. What can be done by IT to gain the upper hand?
MP: Organizations must take a more holistic approach to enterprise security – one that considers people and processes in addition to technology and products. The reality is that IT will not win the arms race against attackers, so rather than matching threats weapon for weapon, we can focus on protecting the information and assets that actually are important to the business.
Many standard security practices don’t consider the full spectrum of actions cyber criminals employ. Hackers are getting incredibly sophisticated in their methods, and it doesn’t always happen via technology. For example, spear phishing is an incredibly targeted social engineering attack that’s very hard to stop with only technology. How exactly do you train an employee not to click a link in an email that appears as if it legitimately came from their supervisor? The reality is that the security is overinvested in products and technology, and underinvested in the people and processes necessary to address these hard questions.
ITIC: Why will more hackers target open source material?
MP: Open sourced components are still fertile ground for security researchers, absolutely. For one, open source software components are everywhere, so the potential attack surface is huge. Just look at the two biggest vulnerability stories of last year, both of which involved open source components.
Heartbleed, a vulnerability in widely used open source component OpenSSL, was estimated to affect 66 per cent of websites. And Shellshock, a far more critical vulnerability in open sourced OpenSSH, was estimated to impact 500 million Apache web servers, and that’s before even considering all the other things like routers that were affected. So any researcher who discovers a vulnerability in such widespread implementations has hit gold, to say the least.
Another reason open sourced software is valuable to attackers is that open source developers have no way of knowing who is actually using their components. So when a vulnerability is discovered, details are released to both the attackers and security professionals simultaneously. The timing gives attackers a window of time to launch attacks before the vulnerabilities can be patched.
And you can’t devalue what it means to an attacker to have access to source code. That makes research that much more effective. So all of those things really make open sourced components very attractive targets.
ITIC: Despite all of the negativity in the news, is there any light at the end of the tunnel for security?
MP: One thing that really looks better for 2015 is that retail transaction security is set to greatly improve as more companies move to chip and pin credit card technology, and consumers embrace Apple Pay and other forms of electronic payment.
And there are promising new technologies in development. Supposedly unbreakable quantum encryption is just on the horizon. A new wave of technology that lets applications adapt and protect themselves in run time is now available.
We’ve also reached an era of unfortunate necessity where better communication between different vendor products and technology has become mandatory. So the security industry recognizes the importance of information-sharing and governments do as well. Now we’re just going to have to figure out how to build the framework that supports it.
If nothing else, the drumbeat of stories about data breaches and high profile incidents like the Sony hack raised security to a level of public consciousness like never before. Knowing the implications should empower and help users make better security decisions. Ultimately, users are going to have to be a part of the solution, whether it’s by getting smart about social engineering attacks or by utilizing their cell phones to enter passwords via text messages. So it’s not all gloom. It just feels like it sometimes.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…