About this time each year, cybersecurity pundits cast predictions for what issues will make headlines in the year to come. We’ve certainly contributed our fair share.
Instead of assessing what the next 365 days will bring—an arbitrary timeframe, if you ask me—we’re looking forward with a three year rolling window. We’ll re-examine every year, highlighting what we’re still bullish on, and where our predictions no longer seem likely.
Most people define mobile devices — smartphones and tablets — as those running a mobile-optimized operating system (e.g. iOS, Android, Windows Phone). There’s a trend emerging, however, in which traditional mobile devices are gaining functionality typically associated with PCs. At the same time, PCs are being architected more like mobile devices — an interbreeding of species, if you will. The iPad Pro, for example, has a keyboard. With Windows 10, phones and tablets can run “Universal” apps that also run on PCs. Windows 10 also has application-layer sandboxing, code-signing, and an app store with apps pre-vetted by Microsoft. In certain configurations (i.e. enterprise-managed devices), a laptop running Windows 10 has a security architecture that looks strikingly similar to a smartphone or tablet. We expect the blending of species to continue and cause the classic differentiators between mobile devices and PCs to (eventually) disintegrate into a difference in nothing more than screen size.
The rumors of the enterprise network perimeter’s death have been greatly exaggerated. While many major breaches involve an attacker bypassing a firewall to get at valuable data behind it, most organizations still use the perimeter as a cornerstone of their security architecture. Even when moving to the cloud, enterprises often extend their perimeter to virtual systems. Because business needs dictate having innumerable exceptions to perimeter access controls (e.g. open ports for web services, partners and contractors needing access, VPNs and Wi-Fi granting access to unmanaged devices), IT no longer effectively controls what can get behind the firewall. We foresee “re-perimeterization,” where instead of monolithic internal networks, enterprises will build micro-perimeters that protect individual applications and data stores, each enforcing its own security policy.
In the past, increasing focus on cybersecurity meant buying “yet another box.” Deploying solutions without first understanding the problems to solve and a strategy to solve them has proven ineffective and mega-breaches have proliferated over the past few years. Real progress, however, will come by measuring *actual* risk reduction, instead of aiming for the hollow victory of solution deployment. Cybersecurity professionals will need to show how their technical solutions have reduced risk across an organization and the companies behind those technical solutions will need to measure success based on their effectiveness. This is a significant shift from the current paradigm that often highlights implementation over efficacy, and a lot of security vendors won’t be happy.
It’s fair to say that attackers are increasing their investment on iOS. If you view attackers as rational economic actors, investment in targeting iOS is logical, given Apple’s growing smartphone market share, currently around 14 percent globally as of Q2 2015 according to IDC. This year, for example, the XcodeGhost attack utilized trojanized versions of Xcode, Apple’s development environment, to inject malware into legitimate iOS apps when developers compiled them. Many of these infected apps subsequently made it onto the App Store.
We don’t believe that mainstream attacks from the App Store will become the norm. We do, however, foresee growth in enterprise-targeted iOS attacks given the large amount of data stored on and accessible to enterprise mobile devices and the high prevalence of iOS devices in enterprise environments. It’s highly likely that enterprise targeted attacks on iOS will be conducted via a combination of malicious apps, exploitation of vulnerabilities in legitimate apps, operating system exploitation, and end-user social engineering.
The password is possibly the single largest security problem on the Internet today. Weak passwords, individuals re-using passwords across sites, and password resets being available to anyone with access to your email all contribute to the password being an Achilles heel in even a very paranoid person’s security posture. Increasingly, individuals and organizations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. Going forward, we foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: both something that enables you to unlock your life online and a target for attackers seeking to access your services.
We also asked asked ourselves, “How many of our past predictions have actually come to pass?” Where is my flying car? Where is my hoverboard? We decided to look back at our past predictions to see what we got right and where we were wrong so we can get better in future years.
For more detail, check out our Slideshare.