A cynic’s view of 2015 security predictions – Part one

Introduction 

Cyber security was a hot topic in 2014. It seemed not a week went by without details of a high profile data breach hitting the headlines.

To recap, the Sony breach was one of the most notable, as was the Home Depot hack, while details of widespread security vulnerabilities such as Heartbleed, Shellshock and Poodle were also revealed. But what will 2015 bring? Will it be more of the same, or have cyber criminals got some new tricks up their sleeves?

It is worth remembering that the annual tirade of security predictions is a time honoured convention. For well over a decade now a growing number of security vendors and researchers have been huddling and discussing what’s going to make the next 12-months scarier than the previous 12.

Predictions

The word prediction, in many ways sums up the value and importance of what has been uttered. Unlike ‘forecasts’ which denotes a degree of specificity and scientific rigor in projecting the changes in the security landscape for the upcoming year; or ‘projections’ that extrapolate upon a verifiable trend or continuity of change, ‘prediction’ tends to entail a pinch of mysticism and a dollop of charisma. It’s not the science behind the prediction that makes it accurate; it’s too often the entity saying it.

It takes a certain degree of cynicism to read and evaluate the merits of all the security predictions doing the rounds.

If I had to summarize the vast majority of vendor predictions for 2015 in to a single sentence it would be: “There’ll be more of them and they’ll be more sophisticated than last year.” Unfortunately it’s probably the same summary I could have provided each year for the last decade.

A critical failure of this annual security deluge lies with the industry’s expectations for their customer or end consumer. A modicum of carefully managed fear has been a mainstay of the commercial security product business since the very beginning, but we’re fast approaching a tipping-point to which the buyer is either frozen with fear, or will choose to ignore it all and let fate decide. Let’s be honest, neither of those scenarios is helpful to anyone.

I’ve got a lot of predictions, so I’ve split them into a series of blogs.

So let’s make a start with my first prediction.

Malware threats

While fear mongering is a feature of the vast majority of the security (i.e. threat) predictions for 2015, the anti-virus industry, in my opinion, has managed to lead the pack once again.

Just about every anti-virus or desktop-protection vendor regurgitated a ‘slightly improved’ cache of threats for their customers to worry about – striving to ensure that they continue to renew their annual software licenses or migrate to a newer suite of tools.

Looking beyond the projections of decade-old trends that are presented afresh as predictions for this year – such as that the number of malware will increase, memory-only viruses will become more prevalent (it’s the 1980’s all over again), banking Trojans will become more targeted, adware will blur the lines with malware, new data exfiltration techniques will appear, or really generic brain-dumps such as “threats will keep evolving” – it would be helpful to understand what lies behind the horrible and fearsome statistics. There could be no doubt that a little more specificity could help push these predictions in to the realm of actionable forecasts.

Good versus bad

The awful truth behind the ghastly stats which drive the hideous threat predictions is that malware is a business – for both the good guys and the bad guys.

The 30-year battle between the good and the bad is as sophisticated and intricate as a Mandelbrot set; the deeper you look in to a particular arm of the fractal, the more esoteric the battle becomes.

Unfortunately for us all, over the last decade the malware authors have been enveloped by the loving embrace of organized criminals – many of whom have much deeper pockets and are more capable of innovatively monetizing the data theft or control capabilities of the malware being installed in their victim’s computers and devices. In a nutshell, the anti-virus vendors are being out-spent daily by the criminals they battle with.

Advances in malware

Each year we hear about the latest advances in malware that are being caught by an increasingly broad array of desktop-protection technologies and how hard analysts are working to study them.

Arguably even these most sophisticated threats are still behind the latest technologies that are actually being deployed by the cyber criminals in the field – let alone state-sponsored threats.

While the news stories have perpetually honed in on the state-sponsored threats, in many ways the discussion is technologically irrelevant.

I’d happily argue that the best and brightest malware authors aren’t the type of people that appreciate government desk jobs and that the technological brain trust is, for want of a better phrase, already “commercially available”. What the Government entities bring to the table are a more sophisticated means to install the malware on to (or in to) the targeted device – and that’s more of a wetware threat than most organized crime syndicates can manage.

So, when it comes to malware predictions for 2015, the unanimous forecast is for more of the same – the same as it was for last year, and the same it will be for 2016. As the technologies we use in our daily lives evolve and the way we alter our lives around them changes, malware (and the authors and organized crime syndicates behind it) will adapt and make use of the new doors that open while the antivirus companies close the old ones.

The war on malware

The cynics among you may argue that we’ve lost the war on malware and that anti-virus is dead. I’d probably agree on the former and place it on life-support for the latter.

In the grand scale of protection strategies, I see the anti-virus industry having close similarities with the garbage collection business. A garbage truck comes around to your home or place of work to take-away the garbage and detritus each week.

It’s not there to prevent you from creating garbage – it’s there to prevent you from being overwhelmed with garbage and the pests and pestilence that come by not removing it yourself. It is, however, unlikely you’d want them helping out in the kitchen.

Part two of our security predictions will be coming soon.

Published date:  20 January 2015

Written by:  Gunter Ollmann

comments powered by Disqus

Filter By Service

Filter By Date