Sophos has released its Security Threat Trends 2015 report that exposes the biggest security risks on the horizon and explains the real-world impact of evolving cyber threats on businesses and consumers in the New Year.
The full report highlights the following 10 areas Sophos experts believe will have the biggest impact on security in 2015 and beyond:
1. Exploit mitigations reduce the number of useful vulnerabilities
Cyber criminals have, for years, feasted on Microsoft Windows. Fortunately, Microsoft has invested in exploit mitigations, which makes writing attack code more difficult. As the difficulty of exploitation increases, some attackers are moving back to social engineering, and we also see attackers focusing on non-Microsoft platforms.
2. Internet of things attacks move from proof-of-concept to mainstream risks
In 2014, we saw more evidence that manufacturers of Internet of things (IOT) devices have failed to implement basic security standards, so attacks on these devices are likely to have a nasty real world impact. The security industry needs to evolve to deal with these devices.
3. Encryption becomes standard, but not everyone is happy about it
With growing awareness of security and privacy concerns due to revelations of intelligence agency spying and newsworthy data breaches, encryption is becoming more important than ever, though not without controversy. Certain organisations like law enforcement and intelligence agencies are unhappy about the prospect of pervasive encryption under the belief that it may adversely impact safety.
4. More major flaws in widely-used software that had escaped notice by the security industry over the past 15 years
From Heartbleed to Shellshock, it became evident that there are significant pieces of insecure code used in a large number of our computer systems today. The events of 2014 have boosted the cyber criminals’ interest in typically less-considered software and systems – so businesses should be preparing a response strategy.
5. Regulatory landscape forces greater disclosure and liability, particularly in Europe
The law moves slowly compared to the technology and security fields, but massive regulatory changes that have been a long time coming are nearly here. It is likely these changes will trigger consideration of more progressive data protection regulation in other jurisdictions.
6. Attackers increase focus on mobile payment systems, but stick more to traditional payment fraud for a while
Mobile payment systems were the talk of 2014 after Apple stormed ahead with Apple Pay. Cyber criminals will be looking for flaws in these systems, but the present designs have several positive security features. Expect cyber criminals to continue abusing traditional credit and debit cards for a significant period of time as they are the easier target for now.
7. Global skills gap continues to increase, with incident response and education a key focus
As technology becomes more integrated in our daily lives and a supporting pillar of the global economy, the cyber security skills shortage is becoming more critical and broadly recognised by governments and industry. This gap is growing larger, with some governments forecasting a widening gap through the year 2030, given the present scarcity of qualified IT security professionals.
8. Attack services and exploit kits arise for mobile (and other) platforms
The last few years of cyber crime have been hallmarked by the rise of products and services to make hacking and exploitation point-and-click easy. With mobile platforms being so popular (and increasingly holding juicy data), we will see more crime packs and tools focusing on these devices explicitly. We may also see this trend come to fruition for other platforms in the IOT space, as these devices proliferate around us.
9. The gap between industrial control systems and real world security only grows bigger
Industrial control systems (ICS) are typically 10 years or more behind the mainstream in terms of security. Over the next couple of years, we anticipate more serious flaws exposed and used by attackers, as opportunities vacillate between state-sponsored attacks and financially motivated ones. In short, it is an area of significant risk.
10. Interesting rootkit and bot capabilities may turn up new attack vectors
The technology industry is in the process of changing major platforms and protocols from those that we have relied on for some time, and these lower level changes will expose interesting flaws that cyber criminals may be able to capitalise on. This mass of major changes away from old guard technology standards could re-open old wounds and reveal major new security flaw categories.
“After a year of big data breaches like Home Depot and Sony, for example, it’s easy to predict that cyber security will be a hot topic in 2015,” adds Brett Myroff, CEO of Sophos distributor, NetXactics.