Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:55 AM
Vincent Weafer
Vincent Weafer
Partner Perspectives

2014: The Year of Shaken Trust

We can rebuild that trust.

Trust was probably the biggest casualty of the past year in security. Consumers were confronted with multiple thefts or exposure of their personal information, from credit cards to healthcare to social networks. Businesses had their confidence shaken with the discovery of significant code vulnerabilities in widely used software. National and local governments inadvertently exposed personal information about citizens.

In the long term, we’re going to have to deliver an e-commerce model in which security is built-in by design, seamlessly integrated into every device at every layer of the computing stack. In the short term, CEOs will be (and have been) called to testify before Congress, CxOs will lose their jobs, and the industry will focus on breach detection and response. There will continue to be consequencesfor getting security and privacy wrong. If organizations fail to protect our information, governments will increase the scope of rules and regulations, as well as the severity of punishment.

Consumer credit-card information continues to be a valuable target in the United States, where cards with magnetic stripes are still in common use and easier to hack than chip-and-pin cards. The growing use of digital wallets is increasing the credit-card attack surface. However, attacking point-of-sale systems is just the tip of the iceberg. We expect the number of devices on the Internet of Things (IoT) to surpass the number of mobile devices sometime in 2015, and to keep growing. As these intelligent, Internet-connected devices experience exponential growth, they provide a rich target for cyber criminals. Based on research from Intel Security’s McAfee Labs and our partners, 90% of these devices collect at least one piece of personal information, 80% have weak password protection, and 70% have other security exposures. The wide variety of hardware and software modules that make up these devices makes securing each device a difficult task. To augment IoT device security, we will see an increase in network security and chip-based security solutions.

For governments and businesses, confidence in their Internet servers to store and serve data securely was hit hard in 2014, with a number of major vulnerabilities, including Heartbleed, Shellshock, and BERserk. Application vulnerabilities were on a declining trend from 2006 to 2011, but have climbed steadily since then and have now surpassed the previous peak. Unfortunately, some of these vulnerabilities are found in the malware isolation technique known as sandboxing, implemented by many popular applications. External or standalone sandboxes are containing these threats for now, but cyber criminals are exploring ways for their malware to escape those confines as well.

Cyber Espionage Poses Increased Threat

Possibly the greatest threat we have seen this year is the refinement of cyber espionage campaigns toward long-term intelligence gathering, made possible by sophisticated detection-avoidance tactics. Although this field is mostly the domain of nation-state actors for now, we expect that cyber criminals will study and emulate these techniques. The development and deployment costs of cyber espionage attacks will leave most cyber criminals in the smash-and-grab game. However, some companies with very valuable digital assets or significant enemies will find themselves the target of one or more of these sophisticated attacks, in which the goal is to gather intelligence over time and eventually sell it to the highest bidder.

These and other sophisticated threats have exposed the weakness of relying on multiple defenses that are disconnected from each other. Identifying and containing these attacks requires information sharing, data correlation, and human collaboration at all levels, from laptop malware scanners to enterprise firewalls, security operations centers, and even the security vendors themselves. At the FOCUS 14 security conference, for example, Intel Security demonstrated McAfee Threat Intelligence Exchange (TIE), which unifies and correlates threat data from global sources with local intelligence information to more quickly identify attacks and narrow the gap from initial encounter to containment.

We have also seen greater inter-company collaboration this past year, with more to come. Intel Security, Symantec, Fortinet, and Palo Alto Networks co-founded the Cyber Threat Alliance, a group of security vendors committed to quickly sharing information on zero-day vulnerabilities, advanced persistent threats, and indicators of compromise, to improve defenses and better protect organizations and consumers. We have seen several collaborative, cross-border takedowns of criminal botnets, such as Operation Tovar. We expect to see more of this collaboration among vendors, government agencies, law enforcement, and academics in 2015, across competitive and political barriers, resulting in greater knowledge sharing and more takedowns of cyber criminals.

We have certainly not seen the last exploits of the high-severity vulnerabilities of 2014. Rebuilding trust and confidence will be a priority for 2015, but this means changing the security postures of many organizations. On the plus side, whether we are talking about physical or virtual security, as the threats and attacks increase, the defenses must adapt. Security on a chip will change the security paradigm for servers and endpoints, including mobile and IoT devices. Biometrics and password-management tools will address the weak link of user ID and password authentication. Data-analysis tools, fast threat intelligence sharing, and improved telemetry from security sensor devices will reduce the time to detection by building better reputation and behavior models.

The public has been reawakened to the risk of cyber threats by the very public and very meaningful security events of 2014. But as an industry, we are responding with stronger collaboration among products, vendors, and governments. These steps will go a long way toward restoring that lost trust.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/9/2014 | 2:02:45 PM
"shaken" ?
"skaken" trust ?

better written as shattered trust.   the Snowden affair followed by the 60 minutes expose on PCI fraud has finished the job.   we have to fire the coach and the manager and get new help in here .
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...