First, the bad news: Windows XP doomsday, escalating ransomware, botnet-driven attacks, emerging SDN threats. The good news: Threat intelligence goes mainstream.
Predicting the future, of course, is impossible. But based on the dynamic events I've witnessed in information security this past year -- new adversaries, attack techniques, and increased adoption of such emerging technologies as software-defined networking -- here are seven security trends I’ll be watching closely in 2014.
1. Doomsday for Windows XP Come April 2014, Microsoft will stop releasing new patches for Windows XP. But from the attackers' standpoint, the real fun will start in May, when Microsoft patches all versions of Windows since Windows XP. When that happens, security experts predict a hack-attack field day, since -- just like Java -- attackers can reverse-engineer the new fixes to find exploitable XP vulnerabilities. Cue difficulties for the millions of consumers and businesses that continue to rely on the unsupported operating system.
"One of the biggest challenges ahead for 2014 is clearly coming with Windows XP, and that obviously has a massive impact not only for the systems that are out there, but the systems that are out there that no one knows about," said Gerhard Eschelbeck, chief technology officer of Sophos, speaking by phone. "Who owns fixing those systems or upgrading those systems or ensuring those systems are still secure, in a world where patches are no longer being provided?"
Given the potential harm facing people who still rely on XP, there still might be an end-of-life reprieve. "Microsoft ought to reevaluate and reassess their decision early next year," Eschelbeck speculated, “if it's the right thing to do to 'end of life' support for an operating system that's been as successful as Windows XP has been."
2. Malware: Follow the Money One no-brainer for 2014 is that malware will continue to target an expanded range of institutions that handle money -- and especially virtual currencies. In late November, for example, a new variant of the Gameover malware was spotted that targeted the log-in credentials for users of BTC China Exchange. That China-based exchange handles 40 percent of the world's trades in the cryptographic currency known as Bitcoins.
Going forward, we can also expect improvements that make latest-generation malware tougher to detect or block. For example, increased use of automated generation of domains for call-backs. According to Sophos' Eschelbeck, these techniques are used by malware writers to ensure that infected nodes can connect to command-and-control (C&C) infrastructure and serve as bots in a botnet. For years, security firms have battled botnets by blacklisting these malicious domains. But as attackers have improved their domain-name-generation algorithms, the tedious, largely manual exercise of blocking malicious domains has grown more difficult.
In addition, attackers have begun using "multiple layers of indirection," Eschelbeck said, which makes it more difficult for researchers to pinpoint exactly how C&C communications are flowing. "The first layer that the malware is going to may not be a bad domain at all," he said, but rather an intermediate but otherwise legitimate waypoint compromised by attackers. The more time and effort it takes security researchers to separate good domains from bad domains, the farther ahead attackers can stay from would-be botnet busters.
3. Ransomware shakedown escalates The above example wasn't the first foray into new attack territory by the authors of the Gameover malware, which is based on the Zeus financial Trojan. "Gameover has also been involved [with] the dropping of CryptoLocker onto victims," said Sean Sullivan, security advisor at F-Secure Labs, referring to the CryptoLocker ransomware, which encrypts an infected PC, then demands users pay a ransom -- sometimes in bitcoins -- to receive a decryption code.
"Ransomware is pretty fascinating stuff. It's showing how cartel-like this problem has become, how it's really been able to extort money, and how it's been really powerful, from a software perspective, simply by locking down a PC until you pay up," said Carl Herberger, VP of security solutions at Radware, speaking by phone. Furthermore, the attacks continue because victims -- reportedly even including one Massachusetts police department -- continue to pay up.
Expect the scope and combination of these shakedown campaigns to keep expanding in 2014. "If I can take someone down, that's one thing, but if I can extort them for restoring the services when they're down, then they probably have more of a propensity to pay," Herberger said. "I see that being a very big idea that evolves in 2014."
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.