At the beginning of every year, top security firms and professionals make predictions about what type of cyber attacks they expect to encounter in the next 12 months. I have looked at predictions made by 5 of the top experts to see if there are any consistent themes. I compared predictions from Websense (WS), FireEye (webinar) (FE), Wired (W ), Kaspersky (K), and Trend Micro (TM). (The abbreviations will be used for easy reference.)
Raise your hands if you think cyber attacks are predicted to decline in 2015. Yeah, that’s not much of a prediction. All firms agree they will increase. There is some disagreement on what types of attack will be most prominent, but here is a list, in descending order, of what they more or less agree on.
More Nation-state Attacks (WS, TM, W, K)
Although these attacks may not be easily traced to the nations themselves, they may be traced to small groups that are supported by a particular nation. New nations, especially developing nations, may begin using such attacks. Small, loosely organized hacking groups may agree to work on behalf of nations to attain certain political goals. Intelligence and corporate data will continue to be targeted. Some of these attacks will use social media (TM). Others may target infrastructure and entire cell phone networks.
More Attacks Making Use of Mobile Devices (FE, TM, WS, K)
Probably not much of a surprise, but something that might begin to get more headlines as more and more breaches compromise smartphones and tablets to connect to larger networks. Some of these breaches will use malware in aps (TM) to take control of a user’s phone. Android devices might be specifically targeted (TM). However, there may be an increase in focus on Mac OSs and especially iOS 6 used in Apple mobile devices (K, FE). This will all call into question whether BYOD policies, already under scrutiny, are viable enterprise options and may stimulate a search for more innovative solutions for protecting corporate networks.
Supply Chain/Subcontractors Used to Launch Attacks (FE, WS, W)
This is what we saw in the Target attack. Such attacks make use of the idea small and medium-sized companies have which can be summarized as “I have nothing that anyone would be interested in.” Under this banner, they don’t invest much in security and, thus, become easy victims. Corporations will need to make sure that the smaller companies they deal with meet certain security standards.
Using ‘Things’ Connected to Corporate Networks to Launch an Attack (WS, K)
Much has been written on how a variety of ‘things’ connected to the internet can be hacked. (see my post, When Appliances Attack…and Sometimes Kill ) So far, this route hasn’t been heavily used to launch any major attacks and normal intelligent home appliances (refrigerators, TVs) aren’t expected to be major targets in the coming year. However, a number of experts believe that connected devices in corporations or institutions will be used as points from which to launch an attack. Business machines, such as printers, are often on networks but are seldom protected and, as such, offer an easy way into the network. Besides, you don’t need to send them a phishing email to compromise them.
Banks Will Increasingly Become Targets (K, WS, TM)
And it may not be just to steal money. I’ve noticed an increase of personal information for sale on sites in the deep web (stay tuned for a future post on what’s happening there) and some of this information claims to come from banks. This extensive information can be used to make credit cards or for other money-making purposes. Kaspersky points out that attackers breaking into bank networks can
Remotely command ATMs to dispose cash.
Perform SWIFT transfers from various customers accounts
Manipulate online banking systems to perform transfers in the background.
Attacks Based on Vulnerabilities in Old or Open Source Code (WS, TM, K)
This would be similar to last year’s Heartbleed vulnerability. There are probably quite a few holes in some programs that underpin much of the internet. These may already be in use by governments or other hacking groups. This information may become public this year and cause a temporary panic.
Besides the usual predictions, some experts went out on a limb to predict breaches that you would probably not even consider. Here are a few.
Attacks on ticketing machines, especially those still running Windows XP and accepting credit cards. (K)
Since old style credit cards (mostly used in the US) must be replaced with pin and chip cards by October, an extensive last minute attack on old credit cards will occur. (W )
More deals taking place in the deep web. (TM)
Other Possible Breaches to Consider
(NOTE: I Wrote down these following predictions last week and 12 hours before today’s ISIS cyber attacks. I had no advanced notice that they would occur.)
Predictions are notoriously short-sighted. No one, for example, predicted that ebola, ISIS, or Russia taking the Crimea would be big news stories in 2014. With this in mind, here are a few things I think are possible.
ISIS-based cyber attacks or cyber attacks launched by ISIS sympathizers may occur. These may be more irritating than destructive, as I doubt they have the resources for anything more. It could involve threats or extortion attempts.
A backdoor will be found built into chips at the factory level. These may be found in compromised smartphones.
A successful attack will be made on one of the world’s larger stock exchanges. This happened to the NASDAQ back in 2010 and no one has yet figured out just what happened. The attack may be for financial purposes but more likely it will be to disrupt the infrastructure. It will be a zero-day exploit that may take advantage of malware that is already hidden on the system and will likely be launched by a vengeful nation state.
In one year, I’ll look back on this and report on who made the best predictions. However, my guess is that the biggest, most newsworthy breach will be something that none of us have even considered.