To look deeply into the crystal ball to predict a threat landscape which changes dynamically and at great speed is not a task to be taken lightly. Nevertheless, we have in the CSIS e-Crime Unit tried to bring together the trends and tendencies, which we believe will create IT security headlines and challenges in 2014.
1» Data Leaks
With the digital development and not at least the digitization of paperwork, the big-data phenomenon will result in more and larger data leaks than we have seen so far. This combined with the fact that we over the last 2 years have observed an increase of infected machines in Denmark.
An increase in data leaks is a natural consequence of the fact that digitalization has been carried out at a speed, where IT security aspects have not been adequately assessed and therefore have not been implemented properly. We expect data leaks – also in Denmark – and with a tightening of rules from the European Union, the 2014 may cost Danish companies and public authorities dear.
2» Drive-by attacks and patch management
The technique where the IT criminal misuse vulnerabilities in popular software packages will continue. Requirements will be made that companies and authorities implement solid patch-management solutions.
That patch management is important, and that drive-by attack is a real risk of any enterprise is unequivocally shown in ENISA’s publication “ENISA Threat Landscape 2013 – Overview of current and emerging cyber-threats” which can be downloaded from the address:
https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats
3» DDoS and digital demonstrations
We have already seen how so-called commercial DDoS mitigation services (Distributed denial of service, also known as booters) has given rise to concerns during the past year. Services, where ordinary people can buy into at moderate cost and drive political or strategic objectives to their knees.
Demonstrations in the form of DDoS attacks and random web page defacements will continue to affect private enterprises and public institutions.
4» Attacks on mobile devices
We have heard it from the security industry before and frequently, but we believe that exploits and malware targeted at mobile devices, including operating systems such as Android, Windows mobile, and iOS, will increase significantly in 2014. Mobile devices take up a gradually significant market share and will attract more and more attention from IT criminals who will try to make fortunes on it.
At the same time we know a massive rise in malware specifically targeted at Android all too well, even if we in Denmark so far have been relatively spared of malware for mobile devices.
5» ByoD
Devices, gadgets, and generally miscellaneous mobile equipment can be a challenge for enterprises and public authorities to manage and control. We expect that 2014 will be the year where there will be a number of new technologies, which will make this work easier, but also that significant resources are expected to be earmarked for this work. The work and the challenges with ByoD (Bring your own Device) have only just begun.
6» Post-Snowden and data privacy
Surveillance from state authorities, in particular in the wake of the many revelations of NSA’s systematic monitoring and surveillance, will force the market to higher encryption and data protection initiatives. Surveillance has given a dented image to several data centers and Cloud providers, and as a consequence, these – to regain customers’ confidence – will be compelled to a number of initiatives for better protection of data that is stored outside the enterprise’s network.
But in addition we also foresee that a number of enterprises in 2014 will begin to implement strong encryption of e-mail and other popular Internet based transport channels.
The race to protect data with strong encryption has in several places been referred to as an upcoming “Cryptowar”.
7» Targeted Attacks / spear phishing
In 2012 and 2013 we have seen numerous spear phishing and targeted attacks that make use of a mixture of zero-day vulnerabilities and APT (Advanced Persistent Threats). In Denmark, and in a number of countries we compare ourselves with, large funds have already been allocated for a defense against targeted attacks.
That job postings at the same time openly advertise for people with specific technical offensive skills, signals an escalation of state sponsored digital attacks, and as a consequence also demands for increased focus on protection of sensitive data.
8» More sophisticated crimeware
Stealing digital values on the Internet is a bargain. It has created a vibrant underground economy where hackers and talented developers on the one hand continue to develop and sell commercial “Crime as a Service” products and regular Crimekits, and on the other hand the affected stakeholders who are trying to protect the customers’ assets.
As a consequence of the fact that several of the targets that the IT criminals in the past ten years have selected as their primary targets, being financial institutions, these have also upgraded their security in several areas. To circumvent the security of systematic and comprehensive attacks makes considerable technical demands, why we expect that the IT criminals will shift their focus from ordinary bank customers to enterprises and public institutions that have significantly more financial resources in their accounts. A weapon that the IT criminals will build in these tools and services is the possibility to make “real time attacks” and “social engineering”.
9» Windows XP support dead
In April 2014 Microsoft will stop supporting Windows XP. This also means that the software giant will cease to launch updates to one of the most popular and widely-used operating systems ever.
With the end of Windows XP support millions of machines, which have not made and upgraded or changed to a different operating system, will potentially be left behind as cannon fodder for damaging code.
Windows XP is not only an end user product but is also found in numerous consoles which are not easy to upgrade. This applies, for example, to payment card terminals, terminals at airports, ATMs, and terminals in production environments. Obviously the end of the support of Windows XP will leave a lot of these installations without the opportunity for mending arising vulnerabilities unless a separate and expensive agreement is made with Microsoft. In this connection we anticipate that many of these systems will be left in operation but at the same time also in danger of potential misuse/infections.
10» Code signed malware
We have already in the course of 2013 seen a significant increase in malware that has been digitally signed with stolen certificates from legitimate enterprises and developers.
The purpose of misusing code signing is obvious to achieve a higher degree of trust/confidence as the issuer of the binary code is validated through signing the code. IT criminals have misused this both in connection with targeted attacks, but also more widely scattered attacks with net banking and information thieves, ransomware, and false security products have been observed making use of digital code signing.
When IT criminals do code signing, it is thus the aim to make the code appear legitimate. Several security solutions, including anti-virus products, assess the code by, among other things, looking at whether it is digitally signed and whether the source is confident. This way, signed malware can escape security solutions.
Conclusion
2014 shows signs of becoming busy within the IT security industry but especially for the many Danish enterprises and public authorities who must try to protect their digital values in a complex threat landscape where attacks and threats come from several sources. CSIS concludes this in “10 Danish IT security challenges in 2014” which has just been published.
The company expects to see more infected machines, more data leaks, increased fear of surveillance, and a generally increased focus on IT security next year. As opposed to previously, the management in several Danish enterprises has also realized that IT security must be treated as an urgent priority.