Cyber security is now a topic with implications for every major line of business and market segment.

Palo Alto Networks shares its 13 predictions for cyber security, the threat landscape, firewall and mobile security for 2014.

1. Securing the mobile device will be inextricably linked to securing the network

With freedom of choice comes risk. Megatrends like BYOD and the rise of the mobile workforce are providing fertile ground for cyber criminals and nation states looking to capitalise on devices operating over unprotected networks.

The scales have historically been tipped, leaving enterprises vulnerable to a new breed of advanced threats targeting mobile devices.

In 2014, threat intelligence gained within the enterprise network will offer new defence capabilities for mobile devices operating outside protected networks. Intelligence gained by mobile devices will offer new signature capabilities to further strengthen enterprise networks.

2. Cloud will get a security makeover

Innovations in network virtualisation are enabling automation and transparent network insertion of next-generation security services into the cloud. Security has remained one of the greatest barriers preventing cloud computing from reaching its full potential.

In 2014 next-generation network security and network virtualisation will come together to form a new paradigm for cloud security.

3. Detection times will decrease

Enterprise security has undergone a massive transformation since the introduction of the Next-Generation Firewall (NGFW). This has long since moved from an emerging technology to one that’s universally deployed.

Newer, advanced security services are letting enterprises gain new advantages in detecting unknown threats and gather that information into a threat intelligence cloud that’s developing an impressively high IQ. The net result will be a measurable reduction in the time it takes to detect a breach.

4. There will be a heightened need for better intelligence and sharing on cyber threats

The new era of network security is based on automated processes and building as much intelligence as possible into network security software. This is especially important in industries such as government, education and healthcare, in which there are staffing shortages.

Limited staff need maximum resources including security tools that give them the most visibility into their network traffic and don’t sacrifice business productivity.

5. Security will meet reliability as attacks target control systems

Companies may be able to apply tight network security to data centres and the information they manage. But if they’re not doing the same for certain data centre support systems such as HVAC, cooling and other automated systems that help power, clean and maintain a data centre, they’re leaving the whole data centre vulnerable.

Data centres are required to meet the highest levels of reliability which cannot be achieved unless all of its components, from uplinks and storage to chillers and HVAC systems, are fully fault tolerant and protected from vulnerability and cyber attacks.

These types of attacks, in which smart hackers target the weakest parts of a data centre support infrastructure, will continue.

6. The demand for cyber security and incident response (IR) skills will reach new highs

As more advanced threats have become commonplace, the demands on existing IR teams have begun to outstrip capacity, especially in enterprises and government entities.

A recent survey by the Ponemon Institute found that only 26 per cent of security professionals felt they had the security expertise needed to keep up with advanced threats. Computer science programs will continue to adapt to this trend with more focused training in cyber security disciplines.

7. Advanced attackers will move to mobile devices

A wave of crime ware and fraud has already begun to target mobile devices, which are ripe targets for new malware and a logical place for new threat vectors.

Mobile platforms will be uniquely leveraged by advanced persistent threats (APTs) thanks to the ability to use GPS location to pinpoint individual targets and use cellular connectivity to keep command and control away from enterprise security measures.

8. Financially motivated malware will make a comeback and the lines between APTs and organised crime will blur

The focus of enterprise security will again be on the attacks where money changes hands. Banking and fraud botnets will continue to be some of the most common types of malware. Meanwhile, attribution of APTs is becoming more of a focus in the industry, which means that more hacker groups will spend more time attempting to cover their tracks and hide any unique identifiers.

To do so, they will attempt to imitate, contract with or even infiltrate criminally-focused hacking organisations to provide cover for their operations.

9. Organisations will exert more control over remote access tools

The revelations of how commonly remote access tools such as RDP, SSH and TeamViewer are used to attack networks will force organisations to exert greater control over these tools.

These applications provide support and development teams with powerful tools to simplify their jobs but they are used commonly by attackers. Employees also use these tools to mask what they’re doing on the corporate network as a means of protecting privacy.

Browser plugins such as Remote Desktop and uProxy for Google Chrome will make these tools more accessible and increase the challenge of controlling their use on the corporate network. User privacy is critically important, but users also need to understand that these applications can jeopardise the business.

The challenge will be how organisations can best implement controls without limiting productivity.

10. Cyber lockers and cloud-based file sharing will continue to grow, despite the risks

Palo Alto Networks has been watching browser-based file sharing applications since 2008, when it identified a pool of roughly 10 variants in this group.

As of this year, Palo Alto Networks is tracking more than 100 variants, and according to its research an average of 13 of these applications are found on networks it analyses. In many cases, there is no business use case for this many variants.

While there is business value for some of these applications they do present business and security risks if they’re used too casually. The risks will continue to escalate as vendors try to broaden their appeal to users and differentiate themselves by adding premium, always-on, always-synched features.

11. The mobile OS ecosystem is too big for patchwork protection

The mobile ecosystem is much more complicated and far-reaching than Windows. Too much of what’s being described as mobile security is based on buying add-ons for different devices running different operating systems – a scattershot model doomed to fail.

Rather than focus on securing individual devices, organisations need to look for security solutions that extend next-generation firewall policies across the full range of mobility use cases, independent of OS.

12. Mobile security issues turn security admins’ attention outside the firewall

Still too many mobile security solutions protect a user’s mobile device while they’re behind the corporate firewall but don’t enforce mobile security policy when users are outside it.

Facebook was hacked earlier this year, for example, when employees connected to a mobile developer’s compromised website, downloaded malware and then introduced it to Facebook’s internal servers when they were back behind the firewall.

Expect to hear similar stories in 2014, and hopefully a shifting debate on how to solve these challenges.

13. “Lock it down” just won’t play

Many organisations still take a “lock it down” approach to mobile security and have put policies into effect that are so strict they eliminate the productivity and flexibility benefits of BYOD.

The mushrooming popularity of smartphones and tablets means users will find a way to use them on networks whether admins like it or not.

In 2014, a majority of organisations will finally turn away from the “lock it down” approach in favour of a mobile security model that gives users some breathing room while preserving the secure enterprise network.

[Source: SEC1®]

According to the Identity Theft Resource Center, as of December 3, 558 breaches have been reported in 2013, and we still have nearly a full month left for more potential breaches. These breaches hit across industries; no one is immune. In late November, BitSight Technologies released a report that investigated how well specific industries were doing in their security efforts. According to the survey, the financial industry has performed the best when it comes to security effectiveness.

At the bottom of the list was the technology industry.

Not surprisingly, a number of the worst security breaches of 2013 happened within the tech industry. In fact, when asked to list the top security breaches of the past year, security experts overwhelmingly named the Adobe breach, followed closely by the more recent Pony botnet attack that focused on companies like Google and Facebook.

One of the more surprising breaches named by experts was former NSA contractor Edward Snowden’s leaks about the extent of the U.S. intelligence community’s Internet surveillance. The data breach was significant for many reasons, starting with what was revealed: pervasive signals intelligence, subversion of encryption standards, collaboration with overseas intelligence communities and many other bombshells.

Other breaches were more predictable, involving stolen devices or phishing scams. Many of the breaches are blamed on foreign hackers and cyber criminals. But the end result is that all of these breaches caused significant damage to businesses and customers. As Costin Raiu, director, Global Research and Analysis Team, Kaspersky Lab, stated:

We predicted 2012 to be revealing and 2013 to be eye opening. That forecast proved correct – 2013 showed that everybody is in the same boat. In truth, any organization or person can become a victim. Not all attacks involve high profile targets, or those involved in ‘critical infrastructure’ projects.  Those who hold data could be of value to cybercriminals, or they can be used as a ‘stepping-stones’ to reach other targets.

Here is a list of the worst data breaches of 2013.

Adobe: 150 million exposed account credentials, leading to secondary breaches all over the Internet

You can’t tell the story of 2013 without Adobe, said Scott Simkin, senior product marketing manager, Palo Alto Networks. It was a breach unique in both scale and, more interestingly, the asymmetric ripple effects across the security landscape. First disclosed by Brian Krebs, the story brought an official statement from Adobe, with research revealing that more than 150 million user IDs with hashed passwords were stolen, including at least 38 million active users. Second, it showed how lax security efforts can be, even in a large tech company. The breach reportedly occurred in August or September, but Adobe did not become aware until September 17 and then, it failed to notify the affected users for over two weeks.

Initially, the breach was thought to be much smaller until people started getting their hands on the breached data that was published, according to AppRiver Security Analyst Jon French. The leaked file from the breach contained email addresses, encrypted passwords, and even password hints for Adobe users. Along with the user data breach, some source code was stolen for Adobe products as well. This code could be used for malware writers to program viruses to be more effective in attacks against that software.

Snowden Leaks

In SilverSky CTO Andrew Jaquith’s opinion, the worst data breach of 2013 was former NSA contractor Edward Snowden’s leaks about the extent of the U.S. intelligence community’s Internet surveillance. The data breach was significant for many reasons, he said, starting with what was revealed: pervasive signals intelligence, subversion of encryption standards, collaboration with overseas intelligence communities and other bombshells. He added:

The second reason the breach mattered — one that has not been explored nearly as much — is how Snowden was able to get his material, and what this says about the U.S. government’s ability to compartmentalize. Snowden didn’t work for one of the agencies. He worked for an outside defense contractor. He wasn’t even a full-time employee of that contractor either, but a part-timer who had only been there for a few months. You’ve got to ask how someone who is that far removed from the center of things could get so much top secret information so quickly. He’s either a world-class social engineer, or the NSA’s circle of trust was far too wide. I’m betting on the latter. The Manning case showed that the side-effect of “better intelligence sharing” between agencies resulted in millions of people having access to classified SIPRNET information. When millions of people have access to information, some of it is guaranteed to leak.

NSA’s Spying Program, MUSCULAR

The details of the NSA’s spying program, MUSCULAR, disclosed by Edward Snowden, may prove to have the greatest impact of any breach in 2013. According to J.J. Thompson, managing director and CEO of Rook Security, the MUSCULAR program involved intercepting data from Yahoo and Google private clouds where the data is unencrypted. The data collected included email, pictures, video, text documents, spreadsheets, and an array of other similar file types. And as Zack Whittaker pointed out in a ZDNet article:

In efforts to get “free access” to the traffic that flows between data centers, the NSA had to “circumvent gold standard security measures,” according to the [Washington] Post.

With this new revelation, Google has taken a considerably stronger stance against the NSA’s spying programs, Thompson stated, adding:

And, along with Microsoft, has begun encrypting its internal network traffic. These and other major tech companies are using every resource at their disposal to fight the NSA including public relations and lobbying efforts. It is likely the greatest level of national attention ever paid to a security incident.

Data-Broker Botnet

In September 2013, it was announced that several data aggregator companies, such as Dun & Bradstreet, LexisNexis, and Kroll Background American, were hacked by some very sophisticated attackers who placed botnet software on compromised servers. According to Michelle Johnson Cobb, vice president, Skybox Security, this allowed the attackers to work undetected for months to consolidate massive amounts of PII. The attackers then sold identifying information directly to anyone who wanted it, and it’s clear that the information could be used for years to come to commit identify theft crimes.

This botnet provided a good look at how attackers can target the reservoirs of consumer and business data, using both sophisticated attack methods and ‘Big Data’ aggregation and analytical methods for their nefarious purposes. Also, this kind of stolen data has a ripple effect for a long time. Cobb said that unlike a credit card number that can be cancelled, the names of an individual’s last three employers, previous addresses and so on will live forever, and Social Security numbers are not easily changed. So once the thieves have the information, it can be used again and again in a widening circle of breaches and fraud.

U.S. Government Breaches

The Department of Energy (DoE) breach in July leaked over 104,000 employees’ and contractors’ personal information, with huge implications in the cybersecurity world. Technically, this was the second major successful hack against the DoE this year, said Mark Vankempen, security research engineer, LogRhythm Labs:

The first one that occurred back in February left 14 servers and 20 workstations compromised. This earlier breach also led to the exposure of PII of hundreds of employees, not to mention leaving behind backdoors for future exploits. These types of breaches clearly affect the way people perceive the security of their personal information as well as federal agencies. A solid security posture that utilizes advanced security analytic techniques across the universe of data sources in your environment, combined with contextual emerging threat data, could have been the golden ticket to limiting the scope of the breach or even preventing it entirely.

The attack was made possible by leveraging a flaw in an Adobe product, most likely executed by an unsuspecting employee, added Paul Lipman, CEO of Total Defense. This highlights the need to offer employees protection while they are beyond the corporate firewall, with persistent endpoint protection.

Living Social Breach

This breach stood out in two unique ways. First, it was one of the first major breaches to hit a popular consumer site. As Paul Lipman, CEO of Total Defense, said:

Attackers having access to those users’ information (name, email, password, buying history), from a site where there is already a level of trust established, as well as urgency of message (timed deals), could lead to spear-phishing attempts in the future (such as purported emails from vendors of previous purchases, or fake new offers). This attack highlights the continued need for endpoint and email security, where any malware introduced has the chance to move laterally within a network.

The Living Social breach was also one of the first breaches that involved encrypted password theft. Encrypted passwords, Tom Cross of Lancope said in an IT Business Edge article, are valuable to bad guys:

Encrypted password hashes can be “cracked” with computer software that essentially tries millions of different possible passwords looking for a match. The bad guys will successfully crack the passwords of many Living Social users, and knowing the password, name, and email address for a person, they may be able to break into other accounts that those people maintain on other websites.

California-Based AHMC Hospitals Breach from Laptop Theft

Not all of the breaches were due to highly skilled hackers or government negligence. Sometimes terrible breaches happen because of low-tech carelessness.

In October, more than 729,000 patients were put in jeopardy when two unencrypted laptops were stolen from California-based AHMC hospitals. Private patient information, including patient names, Social Security numbers and diagnostic and procedure codes, was compromised in the theft, affecting six major health institutions overall. According to Darren Leroux, WinMagic senior director of product marketing, it took this breach for an encryption policy to be put into place at the AHMC hospital network. He said:

The damage had already been done and if you’re a person that was at risk because the data has been stolen, that’s a pretty scary situation. That health system had to answer to the people whose information was exposed and deal with the reputation and financial implications of such an event, something that could’ve been easily prevented by having a data encryption policy in place. Full disk encryption should be the foundation of any device security.

Hijacking Media Outlets

The Syrian Electronic Army (SEA) captured the “hacktivist” crown this year, with a series of defacements and hacks of major news organizations and Twitter handles, according to Scott Simkin, senior product marketing manager, Palo Alto Networks. The SEA made national headlines with its claim of an attack on President Obama from the Associated Press’ Twitter handle, causing a brief $136 billion dollar dive in the stock market. The SEA then went on to deface the New York Times, Washington Post, National Public Radio, Al-Jazeera and other major news outlets. How does this constitute a data breach? Simkin explained:

Data breaches are always about information, whether it is PII, accounts and passwords, or intellectual property. The SEA flipped this strategy on its head; marking the first time information distribution itself became the target. Social media and the news are primarily about connecting the right people with the information they want to find. When those stories come from a trusted source such as the AP’s Twitter handle or the New York Times, it is often inherently trusted itself. As we saw with the fake President Obama message, information is inherently valuable in its own right. The SEA learned that controlling the flow of information and message from a trusted source can have an outsized impact.

The Silent Breach

The scariest data breaches are the ones that companies don’t even know are happening or aren’t disclosing. In January, The New York Times revealed that its computers were stealthily compromised by Chinese hackers for a period of four months. According to a New York Times article:

The attackers first installed malware — malicious software — that enabled them to gain entry to any computer on The Times’s network. The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China. More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past.

Yet, said Charles McColgan, CTO at TeleSign, what is even worse is the companies that don’t disclose when they have been attacked. Finance and health care companies have strict guidelines about disclosing data breaches. But many enterprise companies won’t disclose a data breach unless a legal or compliance issue forces them to do so, or unless the data has somehow already become public. If companies can get away without acknowledging a data breach, they will.

Pony Botnet

Even though the Pony botnet was first announced in early December, many security experts include it among the worst breaches of 2013. The botnet is responsible for the theft of 2 million passwords and user names from a number of different locations, including Google, Facebook, Twitter and Yahoo. According to CNN:

The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing login credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.

According to Trustwave’s SpiderLab blog, while it looks like the attack came from the Netherlands, it is more likely that the Netherlands IP is a gateway or proxy for the infected machines. The security company believes that nearly 100 countries were hit by Pony, and that may make this breach, if not the largest in number of compromised accounts, the most international. If nothing else, the Pony botnet breach shows that way too many people are still using simple “12345” passwords.

[Source: SEC1®]