Microsoft is giving the security world a sneak peak of what it thinks will be the biggest threats in 2014. In a blog post entitled, “Top Cyber Threat Prediction for 2014,” Redmond’s Tim Rains, a director of Trustworthy Computing, offered a glimpse into the future as his company sees it -- with a little help from his companions.
Before we get into the list, we asked Ken Pickering, director of engineering, CORE Security, for his review of Microsoft’s predictions. He told us there’s very little to argue with here, but other than the World Cup, this could easily be a list for 2013 or even 2015.
“It’s like tracking the delta of the OWASP Top Ten over the years. How often does something have to surface as an issue before the industry takes it seriously and actually fixes the problem?” he asked. “Usually these sorts of lists make me painfully aware of how little progress the security industry makes as time rolls on.”
Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization
Paul Nicholas, a senior director of Global Security Strategy for Microsoft’s Trustworthy Computing, predicts the U.S. government will release its Cybersecurity Framework and this will begin a more detailed conversation between what can be accomplished by leveraging voluntary efforts, standards and tailored regulatory actions.
“Similarly, the directive on Network and Information Security (NIS) discussions in the European Union (E.U.) will continue to evolve and examine how to improve security, including raising more detailed discussions of incident reporting. The U.S. and E.U. efforts will not happen in isolation,” he said. “It will be important to ensure that we do not end up with hundreds of different approaches to cybersecurity. This type of approach would begin to erode the base of the global ICT industry. In 2014, I predict that policy makers, private sector companies and vendors of all sizes will begin to see the imperative for harmonization and begin to align risk-based approaches to managing cybersecurity.”
Service-Impacting Interruptions for Online Services Will Persist
David Bills, a chief reliability strategist at Microsoft’s Trustworthy Computing, said online services across the industry and around the world have experienced service disruptions during the past year.
“I expect this trend to continue. Cloud service providers adopting contemporary resilience-enhancing engineering practices like failure mode and effects analysis and programmatic fault injection can help to reduce this trend,” he said. “The adoption of practices such as these will help to effectively address the persistent reliability-related device failures, imperfections in software being triggered by environmental change and mistakes made by human beings while administering those services.”
We Will See an Increase in Cybercrime Activity Related to the World Cup
As with any large sporting event, Rains said cybercriminals will also be looking for illegal ways to make money and take advantage of the excitement surrounding the World Cup. Given ticket sales for the event started long ago, he’s sure attackers have already been trying to identify ways to swindle money. But he expects to see an uptick in current levels of spam and phishing attacks that use the World Cup context as bait.
“Advance-fee fraud is a common confidence trick in which the sender of a message purports to have a claim on a large sum of money or needs financial help because of some hardship,” he said. “The sender asks the prospective victim for a temporary loan to get access to their claim or to help them overcome the harsh circumstances in which they find themselves. Of course these 419 scams won’t be limited to Brazil as football/soccer is the world’s most popular sport. I expect to see attackers cast a broad net using different languages in order to ensnare as many victims as possible in Latin America and Europe, as well as other parts of the world.”
Rise of Regional Cloud Services
Jeff Jones, a director of Microsoft’s Trustworthy Computing, said in the wake of heightened concerns about unauthorized access to data, we will see the emergence and broad promotion of regional cloud service offerings.
“The increased sensitivity to both legal data access and intelligence monitoring will be seen as a market opportunity that will be actioned in two ways -- start-ups and existing providers,” he said. ‘Regional start-ups will see a new opportunity to compete against global providers, while existing providers will develop and offer services delivered from regionally-based data centers in an effort to allay concerns and provide increased customer choice. We also anticipate continued levels of interest in the efforts of technology company support of principles to reform government surveillance practices, such as those discussed here.”
Dev-Ops Security Integration Fast Becoming Critical
Mike Reavey, General Manager of Operational Security Assurance at Microsoft’s Trustworthy Computing, said as more and more organizations across the industry embrace secure development tools, like Microsoft’s Security Development Lifecycle, and operations teams mature their processes to become more security-centric with methodologies such as Operational Security Assurance for online services, attackers will be left trying to exploit the seams between development and operations.
“We’ll see operational security champions build tighter connections with their developer counterparts. Threat modeling will grow to a broader, more systems-based approach,” he said. “And methodologies will become more repeatable and rigorous, borrowing from tried-and-true processes in development such as application threat modeling, and growing similar muscle in operations using continuous monitoring and operational reviews. While attackers are already trying to exploit these gaps, many of the pieces for the defenses’ playbook exist, and we’ll see them come together to increase the challenge for attackers.”
Cybercrime that Leverages Unsupported Software Will Increase
Rains said this topic has been discussed before, but it’s worth mentioning again again. The most effective way to protect systems in the current environment, where drive-by download attacks are so popular with attackers, is to keep all software installed on them up-to-date with security updates. But on April 8 2014, support will end for Windows XP.
“This means Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates. This venerable platform, built last century, will not be able to keep pace with attackers, and more Windows XP-based systems will get compromised,” he said. “The best way to stay ahead of attackers in 2014 and beyond is to migrate from Windows XP to a modern operating system that can provide increased and ongoing protections like Windows 7 or Windows 8, before April 2014.”
Increase in Social Engineering
Chris Betz, a senior director at the Microsoft Security Response Center, said as enterprises move off legacy systems, or restrict those systems to non-Internet-facing roles, we will see cybercriminals and some advanced actors increase use of social engineering and weak passwords to access systems. Social engineering and weak passwords have been part of the malicious actors’ kit for many years, he noted, and are some of the oldest hacking techniques still in use.
“For the past several years, vulnerabilities in unpatched and older applications, such as those targeted through web-based attacks, are the most common way that malicious actors compromise systems. Increasingly, enterprises and individual users are setting aside older systems and software for those with default patching and modern exploit defenses,” he said.
“As users upgrade and install current applications, malicious actors will refocus their efforts on social engineering and weak credentials to gain access to systems and accounts. In 2014, enterprises and individual users should be wary of increased and novel social engineering attempts and consider use of multi-factor authentication to protect their accounts,” he added.
Ransomware Will Impact More People
Tracey Pretorius, a director at Microsoft’s Trustworthy Computing, said although ransomware has been around for years, to date, ransomware infections have been on a much smaller scale than other types of malware. But, given increased levels of success attackers have had with this type of extortion scheme in 2013, Pretorius predicts more attackers will embrace this business model in 2014 and ransomware infections will rise.
“As the probability of encountering a potentially super impactful threat increases, so does the risk. Now is the time for organizations to plan mitigations for ransomware. Besides running up-to-date anti-malware software from a vendor you trust, backups are extremely important,” Pretorius said. “For many of the systems that get infected by this type of threat, the only guaranteed way to recover data that has been encrypted by attackers is to restore it from backup after the system has been disinfected or rebuilt. Leveraging the cloud to do this is a low cost option."