We’re in a new era in the evolution of computing. We’ve gone from mainframes, to client/server and the age of the desktop PC, and have now shifted to an era defined by mobile devices, cloud computing, and social networks. The reason that is important is that the computing culture dictates the environment we’re working with, and it provides the context for the risks we face and the framework available for defending against threats.
Art Coviello, executive chairman of RSA, recently outlined five security predictions for 2014. The first is that BYOD (Bring Your Own Device) will become BYOI (Bring Your Own Identity) as individuals struggle to manage and protect their own personal identities. The second and third seem to be a reflection of the Edward Snowden fiasco and the revelations regarding NSA intelligence gathering. Art highlights the resurgence of the insider threat—trusting internal users like Edward Snowden with sensitive information, and the risk of cloud services in an environment where it seems the NSA can intercept and access data at will.
Those are all valid predictions, but I want to focus on the last two points in Art’s letter: mobile malware and the Internet of Things. Security vendors have been screaming about the impending doom of mobile malware for years now. With each passing year the specter of mobile malware seems less of a threat and more like a “sky is falling” pipe dream. That will eventually change, though, and 2014 is probably the year it will happen.
The fact is that security vendors have collected and analyzed hundreds of thousands of mobile malware samples, and the rate of new variants has grown exponentially. Kaspersky Lab discovered 50 percent more mobile malware samples in October of 2013 than in all of 2012 combined.
Malware developers have been testing the waters. They have crafted proof-of-concept threats to see what works, and what doesn’t, and to evaluate how effectively different threats propagate across a mobile platform. What has been lacking is a malicious payload, and once malware developers choose to take things to the next level most mobile device users will find themselves unprepared to defend themselves.
Then we have the Internet of Things (IoT). It seems that everything is connected to the Internet now, and everything is a sensor of some sort—collecting and evaluating data. There are connected cars, refrigerators, thermostats, smoke detectors, watches, cameras, and more. Conceptually, IoT has a lot of potential to help us understand how to live more effectively and improve quality of life, but it also represents significant risk.
First, there’s the risk that IoT gadgets can be hacked by cybercriminals. Security researchers have demonstrated that it’s possible to hack and remotely control a vehicle, or exert dangerous influence over medical devices like pacemakers. Attackers have gained unauthorized access to home security cameras. The fact that these things are connected to the Internet at all makes them vulnerable to exploit.
Second, many of these IoT devices are gathering copious amounts of sensitive data. IoT devices know where you go, and when you go there. They know when you’re home, and when you’re not. They know how many steps you took yesterday, and how many calories you burned. Most of the data is innocuous, but you still don’t want it to fall into the wrong hands, and the reality is that most IoT devices are not adequately secure.
These won’t be the only security concerns for 2014. It’s entirely possible that some new technology will emerge, or some new attack technique will spring up that will change the playing field entirely. But, from where we’re starting the year, I’m confident that mobile malware and IoT security will be two of the biggest topics we’ll be talking about when we look back on the year 12 months from now.