Around this time every year, security firms offer up their predictions for the year ahead. However, rarely do we see how those predictions actually turned out. One year ago, I looked at the predictions of five of these firms and sifted out the main themes that emerged. I also made my own predictions.
The five companies whose predictions I considered at the beginning of 2015 were Websense (WS), FireEye (FE), Wired ( W ), Kaspersky (K), and Trend Micro (TM). (The abbreviations will be used for easier reference.)
First of all, everyone, including myself, thought that cyber attacks would increase in 2015. As it turned out, this did happen, but not until well into December. So what happened? Are cyber attacks beginning to fade away? That’s unlikely. What’s more probable is that attacks are becoming more sophisticated and are able to stay more hidden. They may also be more efficient. In other words, we really don’t know how many more attacks occurred this year and likely won’t for some time.
Here are the original predictions with my updated comments in italics. In some cases I will simply use ‘C’ for confirmed and ‘U’ for unconfirmed.
1. More Nation-state Attacks (WS, TM, W, K)
Although these attacks may not be easily traced to the nations themselves, they may be traced to small groups that are supported by a particular nation. (more or less true, especially for Russia and China) New nations, especially developing nations, may begin using such attacks. (U) Small, loosely organized hacking groups may agree to work on behalf of nations to attain certain political goals.(There were some instances of this happening, especially in China and Russia.) Intelligence and corporate data will continue to be targeted.(C) Some of these attacks will use social media (TM). Others may target infrastructure and entire cell phone networks. (This only occurred to a limited degree, although it was widely discussed. It still seems to have a lot of potential.)
2. More Attacks Making Use of Mobile Devices (FE, TM, WS, K)
Probably not much of a surprise, but something that might begin to get more headlines as more and more breaches compromise smartphones and tablets to connect to larger networks.(Yes, many attacks used this vector, but mainstream media gave no great attention to the dangers of endpoints connected to a networks.) Some of these breaches will use malware in aps (TM) to take control of a user’s phone.(C) Android devices might be specifically targeted (TM).(C) However, there may be an increase in focus on Mac OSs and especially iOS 6 used in Apple mobile devices (K, FE).(This has recently come to light.) This will all call into question whether BYOD policies, already under scrutiny, are viable enterprise options and may stimulate a search for more innovative solutions for protecting corporate networks. (Most security experts agree that there are a number of problems associated with BYOD, however, none of the traditional software solutions has been able to solve these problems.)
3. Supply Chain/Subcontractors Used to Launch Attacks (FE, WS, W)
This is what we saw in the Target attack. Such attacks make use of the mindset that many small and medium-sized companies adhere to, which can be summarized as, “I have nothing that anyone would be interested in.” Under this banner, they don’t invest much in security and, thus, become easy victims and are used as platforms to attack the bigger companies and institutions whose networks they are connected to. Corporations will need to make sure that the smaller companies they deal with meet certain security standards. (All of this was right on target, so to speak. The most serious attack of the year, the OPM attack, was launched through contractors connected to its networks.)
4. Using ‘Things’ Connected to Corporate Networks to Launch an Attack (WS, K)
Much has been written on how a variety of ‘things’ connected to the internet can be hacked. (see my post, When Appliances Attack…and Sometimes Kill ) So far, this route hasn’t been heavily used to launch any major attacks and normal intelligent home appliances (refrigerators, TVs) aren’t expected to be major targets in the coming year. However, a number of experts believe that connected devices in corporations or institutions will be used as points from which to launch an attack. Business machines, such as printers, are often on networks but are seldom protected and, as such, offer an easy way into the network. Besides, you don’t need to send them a phishing email to compromise them. (I can’t really confirm this. Much has been written on the Internet of Things (IoT) as a potential danger. The main focus of interest this year has been on hacking cars, toys, and a few other odd things, but I can’t confirm a serious attack using this vector.)
5. Banks Will Increasingly Become Targets (K, WS, TM)
And it may not be just to steal money. I’ve noticed an increase of personal information for sale on sites in the deep web (stay tuned for a future post on what’s happening there) and some of this information claims to come from banks. This extensive information can be used to make credit cards or for other money-making purposes. Kaspersky points out that attackers breaking into bank networks can
- Remotely command ATMs to dispose cash.
- Perform SWIFT transfers from various customers accounts,
- Manipulate online banking systems to perform transfers in the background.
(Here’s a prediction that was right on. The financial sector received the greatest increase in attacks from 2014; up 84%. The Carbanak hack alone made off with up to a billion dollars.)
Attacks Based on Vulnerabilities in Old or Open Source Code (WS, TM, K)
This would be similar to last year’s Heartbleed vulnerability. There are probably quite a few holes in some programs that underpin much of the internet. These vulnerabilities may already be in use by governments or other hacking groups. (Audits of the OPM stated that many of their problems came from using outdated software.) This information may become public this year and cause a temporary panic. (I can confirm this prediction overall, but I still think things could have been much worse.)
Besides the usual predictions, some experts went out on a limb to predict breaches that you would probably not even consider. Here are a few.
Attacks on ticketing machines, especially those still running Windows XP and accepting credit cards. (K) (Nothing much to note on this that hadn’t already appeared in previous years.)
Since old style credit cards (mostly used in the US) must be replaced with chip-and-PIN cards by October, an extensive last minute attack on old credit cards will occur. ( W ) (Wired was right about pointing this out, as malware, such as ModPOS, took advantage of outdated cards.)
More deals taking place in the deep web. (TM) (The deep web has been having a struggle this year with Tor being compromised and illicit sites being infiltrated by government agents. I’ll report more on this in my annual report on the deep web.)
My Own Predictions
ISIS-based cyber attacks or cyber attacks launched by ISIS sympathizers may occur. (Ouch! I just hurt my shoulder trying to pat myself on the back. Yes, this is more or less what has happened.) These may be more irritating than destructive, as I doubt they have the resources for anything more. It could involve threats or extortion attempts. (More or less true. There were frequent threats, but few actually resulted in extortion – or at least none that we know of.)
A backdoor will be found built into chips at the factory level. These may be found in compromised smartphones. (I had no idea when I wrote this that requiring backdoors on all devices would become a hot national security topic by the end of the year. The Paris and California terrorist attacks stimulated a renewed call for all companies to install backdoors on their products. China has gone even further by requiring all foreign manufacturers in China to put in backdoors. From this, you can assume that any smartphone or computer built by Chinese manufacturers have already had backdoors installed.)
A successful attack will be made on one of the world’s larger stock exchanges. This happened to the NASDAQ back in 2010 and no one has yet figured out just what happened. The attack may be for financial purposes but more likely it will be to disrupt the infrastructure. It will be a zero-day exploit that may take advantage of malware that is already hidden on the system and will likely be launched by a vengeful nation state. (Although hacks trying to manipulate the stock market did occur (Scottrade hack), no direct hack on the major stock exchanges occurred… at least none that we know about. No nation-state involvement has also been found.)
At that time, I also predicted that “the biggest, most newsworthy breach will be something that none of us have even considered.” Without a doubt, the most publicized hack of 2015 was the Ashley-Madison hack. No one thought that a hack on a dating site would cause so much commotion. None of us also thought that the head of the CIA would have his email hacked, or that hackers would gang up to hack another group of hackers they didn’t like (Hacking Team). And probably no one would have guessed, especially Kaspersky, that a major security firm would be hacked, like Kaspersky was.
So what final conclusions can we draw about last years predictions? Overall, they were not bad and some were right on, but, in truth a lot happened that was never seen coming. I would give the teams a grade of ‘B’.
In the next post, I will compile and analyze predictions from the same firms for 2016.