This year has been a rocky year for computer security. There have been many large personal data breaches, including those of Sony, eBay, Michaels, Spec’s, Home Depot, Staples, Kmart, Dairy Queen, MBIA Inc., Jimmy John’s, Goodwill, P.F. Chang’s, California Department of Motor Vehicles, Sally Beauty Supply, and others. Many of these breaches took place over months or years but were revealed or uncovered (or admitted) in 2014. There were also numerous new exploits released targeting flaws in various systems, including Shellshock, Heartbleed, goto fail, and The Moon. We also witnessed the largest User Datagram Protocol (UDP) Distributed Denial of Service (DDoS) flooding attack that reached a peak of 400 Gb/s against a target within CloudFlare. And there were many, many other security breaches, attacks, and malware releases, not to mention ongoing problems with cybercrime and breaches that started in 2013, such as the continued revelations from Edward Snowden and the monetary exploitation of ransomware, such as CryptoLocker.
There seems to be an increase in exploits and incidents over the last year but I’m not positive this is a clear indication that cybercrime activities are significantly on the rise. There are a larger number of targets, both organizations and individuals, as well as a growing number of criminal hackers seeking to take advantage. But some of the increased awareness of security breaches is due to the increased use of auditing, tracking and detecting tools used by companies and service providers. The rate of detection is definitely increasing.
I do, however, think that we are reaping the consequences of our IT history. We are still using technologies designed and developed 10, 20 or even 40 years ago. The majority of the TCP/IP protocol stack was designed decades ago and we are still dragging our feet to upgrade to IPv6, which is itself already 18+ years old (as it was standardized in 1996). Most operating systems were initially crafted 20+ years ago, including UNIX, Windows, Solaris, Macintosh and Linux. While improvements have been made over time, too much code from years ago has been retained. Much of that code was designed prior to secure computing initiatives.
Most vendors of hardware and software products (as well as online services) continue to release their new versions without significant review and testing. They are racing to be first to the marketplace in order to score the largest percentage of the potential sales or public opinion. Often this race to be first is won at the expense of improved code design and our security. Until society demands more secure products and services, we will continue to be served sub-optimal solutions.
What do I see for us in the near future? I expect in 2015 to continue to see security breaches of well-known companies. I expect that a security breach of an “Internet of Things” product or product line will occur that will either grant hackers access to private networks, personal information, or cause physical harm to someone. Too many of the devices are being rushed to market with no real security. I hope there is a revolution in the authentication field. Passwords are no longer sufficient protections for our accounts, especially related to finances and ecommerce. We need a simple but significantly more robust means of authentication. I also expect more revelations that companies and governments are using cyber attacks against each other, even those considered to be allies.
I also hope that individuals and organizations will learn from the mistakes of others as well as the breaches of various entities. We all need to be more aware of this new form of communication, commerce and civilization that we call the Internet. We have still not figured out how to protect ourselves in this new arena. But we need to make a considerable and focused effort to create new solutions. Otherwise, our most significant technological advancement as a species will implode on itself.