10 big things Sophos believe will have significant impact in 2015 and beyond
1. Exploit mitigations reduce the number of useful vulnerabilities: Cybercriminals have for years feasted on Microsoft Windows. Fortunately, Microsoft has invested in exploit mitigations, which makes writing attack code more difficult. As the difficulty of exploitation increases, some attackers are moving back to social engineering, and we also see attackers focusing on non-Microsoft platforms.
2. Internet of Things attacks move from proof-of-concept to mainstream risks: In 2014 we've seen more evidence that manufacturers of Internet of Things (IoT) devices have failed to implement basic security standards, so attacks on these devices are likely to have nasty real world impact. The security industry needs to evolve to deal with these devices.
3. Encryption becomes standard, but not everyone is happy about it: With growing awareness of security and privacy concerns due to revelations of intelligence agency spying and newsworthy data breaches, encryption is becoming more important than ever, though not without controversy. Certain organizations like law enforcement and intelligence agencies are unhappy about the prospect of pervasive encryption under the belief that it may adversely impact safety.
4. More major flaws in widely-used software: From Heartbleed to Shellshock, it became evident that there are significant pieces of insecure code used in a large number of our computer systems today. The events of 2014 have boosted the cybercriminals' interest in typically less-considered software and systems -- so businesses should be preparing a response strategy.
5. Regulatory landscape forces greater disclosure and liability: The law moves slowly compared to the technology and security fields, but massive regulatory changes that have been a long time coming are nearly here. It is likely these changes will trigger consideration of more progressive data protection regulation in other jurisdictions.
6. Attackers increase focus on mobile payment systems: Mobile payment systems were the talk of 2014 after Apple stormed ahead with Apple Pay. Cybercriminals will be looking for flaws in these systems, but the present designs have several positive security features. Expect cybercriminals to continue abusing traditional credit and debit cards for a significant period of time as they are the easier target for now.
7. Global skills gap continues to increase: As technology becomes more integrated in our daily lives and a supporting pillar of the global economy, the cybersecurity skills shortage is becoming more critical and broadly recognized by governments and industry. This gap is growing larger with some governments forecasting a widening gap through the year 2030 given the present scarcity of qualified IT security professionals.
8. Attack services and exploit kits arise for mobile platforms. The last few years of cybercrime have been hallmarked by the rise of products and services to make hacking and exploitation point-and-click easy. With mobile platforms being so popular (and increasingly holding juicy data) we will see more crime packs and tools focusing on these devices explicitly. We may also see this trend come to fruition for other platforms in the IoT space as these devices proliferate around us.
9. Gap between Industrial Control Systems and real world security only grows: Industrial Control Systems (ICS) are typically 10 years or more behind the mainstream in terms of security. Over the next couple of years we anticipate more serious flaws exposed and used by attackers as opportunities vacillate between state-sponsored attacks and financially motivated ones. In short, it is an area of significant risk.
10. Interesting rootkit and bot capabilities may turn up new attack vectors: The technology industry is in the process of changing major platforms and protocols from those that we have relied on for some time, and these lower level changes will expose interesting flaws that cybercriminals may be able to capitalize on. This mass of major changes away from old guard technology standards could re-open old wounds and reveal major new security flaw categories.