Monthly Archives: December 2014

No single prediction is perfect, so I look at four

As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!

When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors.  Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.

Legend : Orange cells are directly related to Smartphone. Red words are related to payment systems.

2015 Cyber Security Predictions

Websense Sophos FireEye TrendMicro
Healthcare will see a substantial increase of
data stealing attack campaigns
Exploit mitigations reduce the number of useful vulnerabilities Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware. More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.
Attacks on the Internet of Things will focus on
business use cases, not consumer products
Internet of Things attacks move from
proof-of-concept to mainstream risks
Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts. There will be bolder hacking attempts as cyber activity increases.
Credit card thieves will morph into
information dealers
Encryption becomes standard, but not everyone is happy about it Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency. An exploit kit that specifically targets Android users will surface.
Authentication consolidation on the phone
will trigger data-specific exploits, but not for
stealing data on the phone
More major flaws in widely-used software that had escaped notice by the security
industry over the past 15 years
 As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms. Targeted attacks will become a norm.
New vulnerabilities will emerge from decades
old source code
Regulatory landscape forces greater
disclosure and liability, particularly
in Europe
Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards. Bugs in open source apps will continue to be exploited.
Email threats will take on a new level of
sophistication and evasiveness
Attackers increase focus on mobile
payment systems, but stick more to
traditional payment fraud for a while
Lack of adequate response could result in a major brand going out of business  New mobile payment methods will introduce new threats.
As companies increase access to cloud and
social media tools, command and control
instructions will increasingly be hosted on
legitimate sites
Global skills gap continues to increase, with
incident response and education a key focus
With such risks in the corporate realm, cyber insurance as an industry is expected to grow. We won’t see head-on IoE/IoT device attacks, but the data they process will tell another story.
There will be the new (or newly revealed)
players on the global cyber espionage/cyber war battlefield
Attack services and exploit kits arise for mobile (and other) platforms   More severe online banking and other financially motivated threats will surface.
  The gap between ICS/SCADA and real
world security only grows bigger
   
  Interesting rootkit and bot capabilities
may turn up new attack vectors
   

Cyber security info explosion

As a IT security guy, I used to read cyberattack and data breaches news, trying to learn from others missteps. However, in the past few months, it becomes impossible to keep up with those stories! There is a cyber security info explosion in mass media. Blogger, journalist, lawyers, bankers and even comedian started to comment on cyber security.

Just thinking, we may need a course to teach people how to (not to ) write about cyber attacks. Purely rely on fear factor is not helping.