The speed of change in technology is almost universally regarded as a good thing, and rightly so, with the convenience and advancement it brings to both our personal and professional lives.
But if there’s one industry collective that will always approach the altering tech landscape with a strong degree of caution, it’s the information security gang. Put simply, new technologies bring new dangers, and as businesses and consumers hastily foist new products into their daily routines, our data becomes vulnerable and fresh routes of attack are created for cyber-criminals.
With this in mind, we’ve canvassed industry opinion to help devise our top security predictions for 2014. Many of our emerging threats do indeed stem from new technologies breaking into the mainstream, while others look set to abound from the incidents and scandals that 2013 threw our way.
Here’s what we can expect over the next 12 months.
1. Mind your mobile – ransomware is coming
Smartphones have reached near-ubiquity among everyday users and the increasing consumerisation of the workplace -accelerated by BYOD policies - means our personal handsets are frequently drifting in and out of the company network. With the increasing likelihood of users having valuable corporate data on their phone or tablet, the profitability of breaching mobile devices is soaring for cyber-criminals, and as such, the coming months are set to yield a fresh wave of threats specifically crafted to attack our mobiles.
Ransomware, the aggressive Trojans that can lock users out of their device and demand a cash payment for the return of personal data or use of the device itself, saw a renaissance on PCs this year, with the now infamous CryptoLocker causing widespread devastation. Ominously, we were warned at the RSA Europe Conference that ransomware could soon be headed to mobile, and Kaspersky Lab expert Alexander Gostev believes this will lead the barrage of mobile threats next year.
“In 2014, we can expect cybercriminals to take another logical step in the development of these types of Trojan programs and turn their attention to mobile devices,” says Gostev. “Android-based devices will no doubt be the first to be targeted. Encryption of user data on smartphones – photos, contacts, correspondence – is easy if the Trojan has administrator rights, and distributing such programs - including via official stores like Google Play - is not difficult either.”
With many smartphone owners still struggling to transfer the security principles of PC to their mobile devices, cyber-criminals will be ready to pounce on any lax user behaviour in 2014.
2. The Internet of Things will become the “Internet of vulnerabilities”
It has been described by some as a “quiet revolution,” but few in tech circles would argue against it being a revolution nonetheless. The Internet of Things (IoT), a term broadly applied to the idea of physical objects being interconnected with one another in an Internet-like structure, is now a hot topic at almost any IT conference of note, and is set to muscle its way into our consciousness more rigorously than ever before in 2014.
But the aforementioned theme of new tech trends ushering in new methods of cybercrime seems particularly apparent here. Kevin Haley, the Director of Symantec’s Security Response team says the Internet of Things will become the “Internet of vulnerabilities”, arguing that, “With millions of devices connected to the Internet — and in many cases running an embedded operating system — in 2014, they will become a magnet for hackers.”
“Security researchers have already demonstrated attacks against smart televisions, medical equipment and security cameras. Already we’ve seen baby monitors attacked and traffic was shut down on a major tunnel in Israel, reportedly due to hackers accessing computer systems via a security camera system,” Haley continued.
“The companies building gadgets that connect to the Internet don’t even realise they have an oncoming security problem. These systems are not only vulnerable to an attack – they also lack notification methods for consumers and businesses when vulnerabilities are discovered. Even worse, they don’t have a friendly end-user method to patch these new vulnerabilities. Given this, we are going to see new threats in ways in which we’ve never seen before.”
Perhaps we’re not quite ready for this IoT revolution after all.
3. NSA fallout will change the Internet as we know it
It’s not just technology itself that brings chaos and conflict in the world of Internet security, however. The highly politicised nature of our connected world stirs up a steady stream of incidents that end up having significant implications for how everyday people use the Internet, and 2013 certainly proved as much.
The NSA surveillance saga will go down in the history books as a watershed moment for Internet security and indeed international diplomacy, leading to fears of web fragmentation and restrictions on access as we head into 2014. A full chronological digest of events can be enjoyed in Paul Cooper’s superb ‘The year the NSA hacked the world: A 2013 PRISM timeline,’ and with the scandal still unfolding, security experts believe the impact on our Internet use will soon become apparent.
“The Internet has begun to break up into national segments [and] Snowden’s revelations have intensified the demand for rules prohibiting the use of foreign services. Individual countries are no longer willing to let a single byte of information out of their networks,” says Kaspersky’s Gostev.
“These aspirations will grow ever stronger and legislative restrictions will inevitably transform into technical prohibitions. The next step will most likely be attempts to limit foreign access to data inside a country. As this trend develops further it may lead at some point to the collapse of the current Internet, which will break into dozens of national networks. The shadowy 'darknet' will then be the only truly world-wide web.”
4. The death of the password will draw nearer
If you haven’t heard already, passwords as we know them are dying. High-profile security breaches on the likes of LinkedIn, Twitter and Evernote have demonstrated the fragility of traditional passwords when pitted against sophisticated hackers, and the message was pressed home in an experiment conducted by Ars Technica this year, which saw 90 per cent of 16,000 random passwords cracked by a team of experts in a matter of hours.
The movement to bolster network security beyond the mode of single password access is now underway, with a host of high-level corporations – including the victims above – typically introducing two-factor authentication (2FA) systems to fortify their assets. 2FA is leading the charge in the new era of digital access, but picture passwords a la Windows 8, and biometrics as seen on the iPhone 5s and HTC One Max will also accelerate the death of the traditional password in 2014.
Webroot’s preview of forthcoming security trends states that “Apple’s fingerprint scanner is just the beginning for biometrics alternatives coming next year. From eye colour scanners to heartbeat rate monitor sensors, we’ll see mobile devices leveraging new methods to authenticate users.”
Indeed, some argue that these technologies will supersede the spread of 2FA, with their added convenience likely to appeal to everyday users. Geoff Anderson, co-founder of the startup PixelPin which helped coin the ‘#KillThePassword’ hashtag on Twitter, is firmly in this camp.
“We all need to authenticate ourselves to use web services securely, but the industry response has been to add more steps, such as two factor logins with tokens, text messages with codes etc,” he said. “Users want something simple or they will not use it, so we are just beginning to see more innovative solutions emerging that require a change in user behaviour and thinking. These solutions will ultimately replace passwords, which will be consigned to history.”
5. Small companies will disrupt the industry
At the beginning of 2013, we travelled to Austria to see Bitdefender awarded the prestigious antivirus product of the year award from independent testers AV Comparatives, propelling the Romanian outfit into the big-league of security vendors. It was a significant coup for the company who were only formed this side of the 21st century, over a decade after industry stalwarts like Symantec, Sophos, McAfee and Trend Micro.
But working as a small company over a relatively short period of time has been the key to its success, the Bitdefender leadership told us, as it had helped them out-innovate many of its (perhaps bloated) American rivals. With the threat landscape moving so quickly and security solutions needed across so many different platforms, 2014 could be the year smaller, agile companies rise to the fore in security.
“2013 saw a lot of interesting start up activity in the security space and I believe that will continue into 2014,” says Bloxx CEO Charles Sweeney. “Smaller companies often bring with them fresh approaches to established problems. Whilst the larger vendors might have the big research and development budgets, they don't have the agility to move quickly in order to integrate new technologies or the boldness to deploy them in different ways.
“In 2014, I think the smaller companies will steal a march on the larger vendors as their innovations catch the eye of big enterprises and public sector organisations who cannot deny they need a fresh, and more cost effective approach,” Sweeney argues.
Symantec and co, you have been warned.