2015 Is Going To Be An Interesting Year For Infosec

Major Breaches Will Abound And Companies Will Pay The Price

If 2014 was the year of huge breaches (Home Depot, Target, and of course, Sony), it stands to reason that if changes are not made, history could repeat itself in the coming year.  Large companies with huge swaths of intellectual property and sensitive information are prime targets for activists and nation-state actors alike. While this may seem like old hat, the difference is that attackers are no longer going after the companies directly. Instead, they are relying on the network connectivity that has been granted to third parties such as HVAC systems and advanced technology found in break room refrigerators. As in the case of Target, systems were put in place by a vendor or the company itself, but were then left unhardened and running with default usernames and passwords still in place. As such, the attackers did not need to breach the hardened web or application servers exposed to the Internet. Instead, all that was needed was access to a user workstation via malware and a stealthy search for a system to use as a pivot point for deeper access. This attack method is not uncommon and organizations of all sizes and industries are vulnerable without the proper security measures in place.

Moving into 2015, predictions can be made that with continued breaches there will be judicial wrath to follow. As we’re already seeing this year with Target, the courts are taking a hard line against companies, who in the their opinion, should have know better or should have known about the issues. We’re also sure to see more cases where CISO and ISO staff have alerted senior executives to issues, only to see them ignored, often with catastrophic results. In these cases, the courts are sure to take a strong stance that negligence, not ignorance, was the cause of the breach. In short, 2015 looks to be a costly year for firms who continue to turn a blind eye to security related matters.

Encryption for the Everyman

While already heavily in use by companies to protect web traffic, databases, and other sensitive data, encryption is likely to become a hot topic in 2015 for the consumer.

Much of this enhanced focus on encryption by the everyday person comes thanks to the Edward Snowden revelations and the public concerns over privacy. We should expect to see a continued growth in nice products such as the Blackphone that takes personal security and privacy to a higher level.

While phone encryption is one thing, encryption in the cloud is something else. Consumers are starting to understand that storing data with large companies such as Google or Microsoft does not mean that data is encrypted and privately secured. With companies like Google holding the encryption keys, the data may be protected from the masses, but it is not protected from Google or anyone they are compelled to share it with. As a result, more and more privacy and security minded cloud-based companies such as SpiderOak and ProtonMail are entering the marketplace and finding success. While these fast growing organizations are not as large as a Google or Microsoft, they do offer the everyday person the ability to feel confident about their file storage and email security.

Given the challenges faced in 2014, it’s going to be interesting to see what new companies and services are created to help protect the consumer and their data in 2015.

The Rise of the Internet of Things

What do a door lock, refrigerator, a shelf, and thermostat have in common? At first glance, absolutely nothing. However, if you look a little closer you’ll find that all three of them have become part of the “Internet of Things”.

In 2015 security issues associated with any or all advanced technological devices –will be introduced to consumers.  If researchers can show us the devastating issues associated with network-connected insulin pumps, one can assume that similar dangers associated with a networked thermostat, medical shelf, door lock or refrigerator -will be brought to light.

Unfortunately, many of these systems are built with hard-coded default user IDs and passwords, have no firewall or way of enabling one, and are simply not built with security in mind. Given these issues, 2015 is sure to see event presentations demonstrating how to wreak havoc with these devices and cause distress for consumers and the manufacturers alike.

In addition, 2015 could bring challenges as well as new opportunities for organizations that are committed to security. I’ve shared my thoughts on just a few of the he multitude of the things I see happening in 2015. What are your predictions?