Everyone knows that computer security has long been an ongoing game of cat-and-mouse in pursuit of cybercriminals and hackers. This fact will not change in 2014. As we enter the New Year, there are several trends that seem particularly relevant for business leaders to consider.
Whether it’s the bad guys demanding ransoms for malware fixes, or the growth of cloud-based tools and wearable devices, security experts face a range of emerging concerns that deserve their serious attention. As if to highlight these issues, a massive breach of Target’s customer payment card data this past November and December only served to emphasize the need for stronger security as 2014 progresses.
With that being said, here are my top five security predictions that businesses of all sizes need to be aware of in 2014:
1. There will be significant fallout from the Target data breach
As many as 40 million credit and debit card numbers were compromised as a result of the recent Target data breach in late 2013. This breach included more than the credit card numbers themselves. It also involved the names, expiration dates and the CVVC codes located on the cards. Basically, hackers obtained everything they needed to create a new credit card. What’s most disturbing about this breach is that the CVVC (or CVV2) codes were compromised. Strictly speaking, this isn’t supposed to happen, at least not on a scale this large.
According to PCI DSS requirement 3.2, the CVVC code is never supposed to be stored. Given the fact that this breach included that information, I am theorizing there are only a few possible means for this breach.
The first possibility is that this breach happened at the store level and was on such a massive scale that it is going to make us take a serious look at our physical security. This will possibly cause us to entirely rethink our payment system security on the storefront level.
The second possibility is that the payment system network was compromised. This is unlikely, as all of the data that transits this network is encrypted. But if that is the case, the implications are serious because it makes this breach repeatable and may change the way payment card data is processed.
The final scenario is that Target was centrally batching its payment card data in order to conduct transactions at high volume. If this is the case, then Target is going to face substantial PCI-related fallout, including fines as well as paying for credit monitoring for 40 million credit cards.
We may also see fallout in terms of government intervention. For a long time the payment card industry has self-regulated. It is in their best interest to do so. PCI is not a government standard, it is a payment card industry (PCI) standard. If you don’t abide by it, MasterCard, VISA and other payment card companies can renounce your ability to take payments via credit cards. The biggest nightmare for the payment card industry would be government regulation of key aspects of their business.
Right now, PCI is the same standard globally. Different regulations in different countries would cause significant problems for the payment card industry. Expect to see some changes to the PCI-DSS framework in 2014.
Solution: PCI is a minimum requirement. If you take payment cards, you should go above and beyond what is prescribed in PCI in order to ensure data security.
2. Ransom malware will continue through 2014
Today’s malware is all about making money, and what easier way to make money than to go directly to the consumer. If a business owner finds a product or marketing technique that provides successful profit, he is going to continue to use it until it stops providing income. The criminals behind malware are no different. If it works, they’ll keep doing it until it doesn’t work anymore, and ransomware certainly worked in 2013.
How effective was it? In 2013, there were nearly a quarter of a million CryptoLocker infections. If just 10 percent of those infected chose to pay the ransom of $300, the net profit would be $7,500,000.
Solution: Keep endpoint security up to date. Deploy web and email security that protects against malware, both on and off premises. And most importantly, keep regular backups through a means that is not constantly connected.
3. More organizations will move towards cloud-based services
With mobile computers, tablets, smartphones and now wearable technology, users are becoming more mobile than ever. This means that the walls that have been erected around our digital networks are being circumvented by the simple act of a user going down the block to grab a cup of coffee. The beautiful internal data warehouse we have built on our networks is now being questioned because an executive can’t run reports from his vacation home on the Florida coast.
The walls to our digital networks are crumbling. No longer are we in an era when the users are inside the walls, and the bad guys are outside the walls. This is driving more organizations to the cloud. A CRM system that is accessible anywhere is much better for the end-user. It allows for productivity anywhere that a connection can be established. A web security system that only protects users when they are on the network has become an antiquated approach that only covers a shrinking number of users. Data Leakage Prevention (DLP) at the gateway is the same. While some organizations have ignored this growing trend and continue to stick to the old ways of building walls, more organizations will start moving to the cloud.
According to a recent piece in Forbes, more than two thirds of organizations will increase spending in the cloud for 2014. Users that are on or off premises will be protected by cloud security services.
Solution: Malware and DLP scanning will move from the network edge to the cloud. Other security services will also certainly make their way to the cloud in 2014, and beyond.
4. As smart devices increase, so will the potential for compromise
Google Glass, Pebble, Kreyos and other wearable technologies began to make a splash in 2013 and will come into general public use in 2014. A new smartphone seems to come out on a weekly basis. There are now smart refrigerators, smart TVs, smart houses, smart pet dishes, and even smart toilets. With all of this interoperability, there is going to be an increase in compromised devices.
Let’s face it, the average user is not ready to set up a 4096-bit encrypted connection between devices, much less managing the keys required to connect the device to yet another new smartphone. So the connections made are simple. We have already seen an uptake in the compromise of home camera systems, like those used in baby monitors.
This may seem troubling when we are talking about a single breach of a home user. But let’s take it to the enterprise; let’s take it directly to the boardroom. If wearable technologies, such as Google Glass or smart watches are compromised, they could easily become a remote listening device and a remote viewing device. That innocent watch on the wrist of the Chief Marketing Officer could leak the corporate strategy for the entire year. How about that SmartTV that just got installed in the conference room? It could be spying on you as well.
Solution: This concern will only grow with the increased adoption of smart devices. As a result, enterprises will be forced to develop new strategies to address these smart connections. One option may be to implement basic encryption systems for corporate users who adopt wearable devices in the workplace. This latest ripple could also require new HR policies, in addition to an added layer of security.
5. Organizations that stubbornly refuse to upgrade legacy Windows XP machines are in for a very long year
On April 8, 2014, Microsoft will end support for Windows XP and Office 2003. Microsoft has been more than generous in the amount of time offered. What this end of support means is that Microsoft will no longer be offering security patches for Windows XP. So if vulnerabilities exist, they will continue to exist in perpetuity.
But that doesn’t tell the whole story. The fact is that XP machines are already more infectious than their newer counterparts. A study published in October 2013 showed that Windows XP machines are infected far more often than their windows counterparts, on a per malware encounter rate. A malware encounter is simply the machine coming into contact with malware in the wild, but it does not necessarily mean infection. It simply means that malware was encountered. The basic idea is that malware is encountered at a high rate by Windows 7 machines. Malware criminals aren’t stupid. They know more people are using Windows 7 today, so they are going for volume. But the study also showed that the number of malware infections per encounter for Windows XP SP3 was nearly double that of Windows 7 SP1. Add in Windows XP SP2, and the number of infections per encounter nearly tripled.
Endpoint protection will help. The number of infections of an unprotected system can be five or more times higher on an unprotected machine. But there is always a zero-day threat that may not be covered. On a machine where exploits are no longer being patched, the possibility of infection will only increase as time goes on.
Solution: Upgrade all XP machines to Windows 7 or Windows 8. Keep endpoint security up-to-date, and add a web and email security solution that protects against malware both on and off premises.
As we move into the New Year, these five security predictions should remain in the forefront for IT managers and business users. In addition, companies will undoubtedly face a range of new threats as the computer industry evolves, and as cybercriminals continue to develop new fronts in their attacks on personal and business data. So this year it will be more important than ever to remain vigilant and stay keenly alert to these kinds of ongoing privacy threats and security breaches.
About the Author:
Paul Lipman is the Chief Executive Officer of Total Defense. He brings to the role over two decades of executive and operational leadership experience at software, services and ecommerce companies.
