It's the start of a new year, and over the holidays I asked the security researchers and aficionados at Rapid7 to dust off their crystal balls, deal out their tarot cards, throw down their runes, and study their tea leaves to come up with predictions for security trends in 2014. Once they stopped heckling me, they did agree to share their insights for what we may see in the coming year, and without so much as a suggestion of killing a goat. Here are seven of their predictions (yes, yes, we like things in sevens):
· Cloud services will be the big targets. Many of the team highlighted that the shift towards storing data and moving computing into the cloud, coupled with the impracticality or complexity of fully managing this infrastructure from end-to-end, will undoubtedly continue to attract attackers. We expect to see more cloud services and providers compromised, and this will likely draw the attention of auditors, who will require greater logging and monitoring of the way data stored in the cloud is accessed.
· Deception-based attacks will rule! We will see a continuation of the trend towards deception-based attacks, with these methods reported as significant entry-points in major breaches. Phishing will continue to be a successful attack vector and reduce the technical requirements for initial entry. Organizations will continue to struggle to defend against these kinds of attacks, and will remain focused on mitigating more traditional brute force methods.
· The Internet of Things will introduce risk into EVERYTHING. Consumer devices are increasingly becoming network-connected, introducing risk into all walks of life, from your home, to your office, your car, your gym, your doctor's surgery, etc. In recent years, we've seen the variety of network-connected devices expand massively, with TVs, storage, cameras, thermostats, medical devices, exercise machines, and garage doors just a small sample of the kinds of “things” now being connected to the Internet. This is only set to continue – we're already seeing network-enabled toasters, kettles, fridges and much more emerging. Unfortunately, researchers have found time that and again that security issues abound on embedded devices, and they are typically very poorly patched. Rapid7's chief research officer, HD Moore, highlighted this with research on UPnP, Supermicro, and IPMI, the latter building on the work of researcher, Dan Farmer. 2013 was a big year for worms and other forms of exploitation of these issues, and it's likely we will see a significant increase in these types of attacks as the adoption of embedded devices explodes.
· Malware will be increasingly purpose-oriented. Mark Schloesser, security researcher for Rapid7 Labs, expects a trend towards slimmer and more purpose-oriented malware samples instead of general-purpose kits that have been popular in the past. We are currently seeing the increased use of "droppers" – small binaries that do nothing but look for a new binary and download and execute it once it is offered – especially in the area of more targeted attacks and better organized campaigns. Mark's prediction is that this trend will carry over to the general cybercrime area and that there will be builders and kits that allow an easy creation of these special-purpose chains of malicious code. While being slightly more complex to maintain, the resulting code is less noisy and hides the purpose of an infection before its actual malicious behavior is triggered and thus raises fewer flags on the defender's side.
· PCI 3.0 will drive pentesting adoption. Christian Kirsch, Metasploit product manager, predicts that PCI 3.0 will create a huge pull for penetration testing in 2014. Previously, companies could get away with just doing an nmap or Nessus scan and call it a pentest to check the box. PCI 3.0 now defines a pentesting methodology to which organizations need to adhere. Since it's hard to build expertise quickly, time savings for existing pentesters will be huge, as will measures that simplify training needs for new team members.
· Widescale scanning of the internet will increase. Tod Beardsley, Metaslploit engineering manager, and Dan “Viss” Tentler, pentester, both agree that scanning tools such as zmap have made it vastly easier to scan the entire routable internet address space. As a result, these kinds of scans will no longer be the province of a handful of people and organizations, and will become increasingly commonplace in 2014. Heightened awareness of the surveillance opportunities on the web will also drive an interest in this amongst security professionals. The good news is that these kinds of scans reveal a great deal of information on real-world threats. Security professionals can apply these findings to their own environment to improve the risk management strategies.
· Mobile malware will target data contained in apps. Giri Sreenivas, general manager and VP for mobile security, predicts that we will see an increase in malware that targets data contained by specific apps on mobile devices. Most recently, there was an app removed from Google Play for targeting WhatsApp chat history data for exfiltration off the device. With the growth in smartphone and tablet usage, it is becoming increasingly worthwhile for malware authors to target the most popular applications knowing that their potential audience of targets may number in the hundreds of millions.
We didn't specifically call out big data, despite it being one of the most discussed topics in security last year. We're quite sure the noise around it will continue in 2014, but that doesn't seem particularly interesting as predictions go. And as I said, we like things in sevens.