Neohapsis 2015 Security Predictions

Predictions are a tough task in an industry as fast-moving as technology, and security rides the fastest part of this tiger's tail. Nonetheless, our team at Neohapsis gathers annually to make some projections based on what we've observed over the past year in our work as attackers and security advisors.

Among the predictions below are some common threads. We see powerful technologies becoming commoditized and that less-sophisticated attackers will soon be able to field techniques that were, until recently, the realm of nation states. Similarly, criminal enterprises are adopting practices of legitimate organizations, including cloud computing and big data, in order to scale and monetize their operations. Finally, legislation, regulation, and public sentiment continue to lag behind the potential for damage from digital attacks, with organizations suffering major losses but still struggling to take proactive action before being held responsible at their bottom line or the ballot box.

• Politically-motivated attackers will target private citizens: We will see an increase in coordinated and extremely well-executed malware attacks by organized groups with a political agenda, specifically targeting private citizens rather than state sponsored infrastructure. Not necessarily in the form of extreme life taking attacks, but people like ISIS have figured out that if we can fund something like Stuxnet, so can they. And it’s a lot easier to target regular citizens than government infrastructure. Currently, electronic warfare attacks in the form of malware such as Stuxnet and recent Russian state actor attacks have been seen to be a cut above the technological capability shown by underground cell-operated organizations such as the Syrian Electronic Army or ISIS. In the year(s) to come, the gap between these groups will narrow. Groups such as ISIS already contain the knowledge required to conduct such attacks against their enemies, however thus far they have not shown to concentrate on malware as a form of delivery when concentrating their technical efforts. In the future, given the time and resources required, it is likely that these groups will succeed in conducting a large scale malware based attack, perhaps not focused on the technical resources of their enemies directly, but on the citizens of those countries. It seems only logical that if financially motivated attackers can pull these kinds of attacks off, politically motivated attackers can and will do the same.
• A U.S. firm will be implicated in a significant breach of EU data: As the run of high profile data breaches continues, privacy regulators become more concerned when there is an incident that affects a significant number of European citizens that is attributed to services provided by a U.S.-based organization. EU Data Protection Agencies (DPAs) express increased concern over the lack of U.S. federal oversight of security and privacy practices, particularly when delivered through third party (or cloud) services. There is an associated cost to many U.S. organizations from the increased oversight and enforcement actions by DPAs directed at US companies participating in trans-border transmission or processing of customer or HR records of European citizens.
• Privacy concerns will dwindle: There will still be a vocal minority but nothing is going to top the NSA. If that didn’t cause a riot, nothing will. Even the most staunch privacy advocates didn’t move out of the States. And who stopped shopping at Target (News - Alert)? You can get privacy by locking yourself in a box and avoiding interactions with others but most people think the benefits of interaction outweigh the loss of privacy. Realistically speaking, there’s cryptography and steganography for the taking. But even the vocal minority stops at cryptography. Is using steganography not worth the privacy increase? Corporations and governments will continue to manage this minority with confidence that the people will deal with the fact that “they” know stuff about “you.”
• Big data will become a buzzword for the bad guys too: Attackers will begin constructing identity management systems to cross reference the millions of passwords gathered from data breaches. Intelligent guessing attempts will result in additional compromise of users that retain a semantic relationship with previously disclosed passwords. But it’s not all good news for the attacker. Big data can mean a big haystack depending on the type of compromise. Attackers will need to deploy improved scrapers to find the needles.
• Critical infrastructure will see security improvements: In 2013, the President of the United States issued Executive Order 13636 to strengthen the nation’s critical infrastructure. In 2014, NIST developed the Framework for Improving Critical Infrastructure Cybersecurity. In 2015, we will begin to see the first voluntary applications of this framework that will pave the way for future improvements of critical infrastructure. The question remains: will U.S. corporations and agencies be able to build adequate protections before attacks are carried out?
• Attackers will continue to exploit users: Humans are making more security decisions and assumptions based on computer suggestion. Computer screens mark objects with greens and reds but users still open unknown attachments and click links in emails. The issue is not confined to our screens. Buses, airports, and office entry points beep good and bad to inform the human guard of success or failure. Organizations are commonly unaware of the risks affecting the human element of their operations. They tend to shy away from performing security tests that may impact the user. If we don’t consistently test our users, attackers will.
• The breach parade will continue: Wave after wave of merchant breaches hit the news over the last year and a half, starting with the Target breach and then moving on through other retailers, large and small. There’s no reason to expect this tide of breaches to stop. Merchants should be planning to replace old point of sale technology with newer devices that provide tokenization and contactless mobile payments (like Apple (News - Alert) Pay and Google Wallet) that can isolate them from cardholder data. If they don’t move soon, we may see their acquiring banks starting to force it upon them.

About the Author: is a recovering software developer turned penetration tester with Neohapsis. He works on offensive and defensive security tools, with an emphasis on web application security, web malware, and social engineering. He’s also done recent research on Multipath TCP and its implications for the future. He has been a featured speaker for Black Hat, DEFCON, SecTor and others.