Sophos Cloud Optix
It’s the end of the year and time to reflect on the events of 2014. There were some high profile wins, like the apparent defeat of the GameOver botnet, and some dreadful loses such as the Heartbleed bug – but what was the final score?
Did the forces for good win, lose or draw in 2014?
It’s a big subject and there are many, many points of view. So we’d really like to read about your perspective on the year just gone – what did you think of computer security in 2014? You can vote in our poll and leave your thoughts on the year in our comments.
To whet your appetite I asked our regular contributors to give you some food for thought, starting with me.
Mark Stockley
It seems to me that popular, mature software is getting harder to crack with encryption, bug bounties, responsible disclosure and frequent, predictable – often automatic – updates increasingly accepted as best practice. We know how we should be writing software, even if we’re not all doing it yet.
Users remain our Achilles’ heel though – year after year, we continue to choose terrible passwords and to click on links and attachments we shouldn’t, and 2014 was no better.
So long as security is reliant on good behaviour from users who adapt at a slower rate than software, we’re standing still at best.
Mark is founder of independent web consultancy Compound Eye.
John Hawes
I’d say things have got better, although not necessarily more secure just yet.
It may feel bad that there have been so many horrible vulnerabilities in vital software, epic leaks of all sorts of personal data, awful privacy decisions by sites and services people trust, mass doxing of celebrities, huge scams and frauds and lots and lots of general misery, which in themselves are of course not a good thing.
But the scale and frequency of incidents this year feels like it has really pushed us over a tipping point and made security a topic everyone is thinking about, rather than just a few specialists.
People everywhere, from technophobic moms and pops to tight-fisted business leaders, are starting to realise the dangers they can stumble into, and are making efforts to make themselves more secure. In the long run that means fewer easy targets and more demand for better protections, so eventually everyone will end up safer.
John Hawes is Chief of Operations at Virus Bulletin and sits on the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO).
John Shier
This year has been a mixed bag. We won some battles on the privacy front with an increasing number of websites using HTTPS as a default.
It also appears we fatally wounded the GameOver/CryptoLocker infrastructures.
Like high-waisted “mom” jeans, macro viruses are back making us wary of opening Word documents again. Hipster beards and fixies seem to be going strong and so does ransomware. Now we have viral ransomware with hybrid action mechanisms. A little dose of the old sprinkled with some new flavour.
It appears as though we are also staring down the barrel of 64-bit malware which is giving us something new to worry about. Let’s not forget that (really) old code though! Something written 20 years ago by someone with a different kind of beard is now front page news with a catchy name, a website and a PR agent.
It certainly was a bad year for retail but a great teaching opportunity on how not to do security. So it seems awareness is increasing but we still have a long way to go before we can claim any kind of decisive victory, so let’s call 2014 a draw.
John Shier is a Senior Security Expert at Sophos, a popular presenter at security events and a hands-on technical guru for Sophos partners and customers.
Lisa Vaas
The Snowden rash keeps itching, and the industry’s immune system is kicking in to make this a year where security took some performance-enhancing drugs.
Big tech is hosing itself down trying to rid itself of any whiff of government collusion, as in, perish the thought that we knew about backdoors allowing law enforcement to prance into our products. Or, as Google and Apple would put it, Encryption-R-Us. Good stuff for consumers, unless of course the US government succeeds in stabbing warrantless search to death once and for all.
Cyberbullying got a tiny bit better in some corners, such as Facebook apologising to the LGBT community over its real-name policy and promising to fix its cluelessness over the importance of pseudonyms in protecting people from harassment and violence.
But it was still damn hard to be a teacher. Or a kid. Or a female game developer. Or a victim of cyberbullying, bomb threats, stalking, Sony or Sony-like data doxing, or nude photo theft and publishing.
Let’s not pat ourselves on the back for a job well done just yet. There’s still an enormous amount of work to be done to make the internet a more safe place for all.
Lisa Vaas is a freelance technology writer and former executive editor of eWeek whose credits include CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and HP’s Input/Output.
Paul Ducklin
The 2014 computer security glass is half-empty because…
We spent a lot of time in 2014 energetically repeating the worst blunders of 2013. Case in point: malware breaches on point of sale networks via the same holes we had last year, including contractors or vendors with pathetically insecure remote access to our own networks. “Those who cannot remember the past are condemned to repeat it,” so it’s time to stop living in the past!
The 2014 computer security glass is half-full because…
We’re ready to try out security procedures that we rejected last year. Case in point: two-factor authentication. Two or three years ago, lots of people were telling us that they weren’t willing to put up with inconvenience to help someone else do security better. Today, we’re hearing the same people saying, “Where is it? Bring it on!” It’s great that we’re no longer living in the past!
Paul Ducklin is Naked Security’s security-proselytiser-in-chief and winner of the inaugural ‘AusCERT Director’s Award for Individual Excellence in Computer Security’ in 2009.
Lee Munson
2014 was the year that the data breach went mainstream. From JP Morgan to Home Depot, Victoria’s Secret to Sony, the news was filled with ever-increasing stories of doom, payment card theft and personal information exfiltration.
But you know what? There is a silver lining.
Security awareness is still in its infancy and mainstream news coverage may just prompt users and organisations to choose stronger passwords, review security policies and adopt a non-checkbox approach to security standards and regulations.
So while 2014 hasn’t been a great year for computer security, I do have some optimism for the new year ahead.
Lee Muson is a writer, social media manager and founder of the popular computer security website Security FAQs.
You?
That’s enough fence-sitting from our writers, now tell us what you think!
Image of signpost courtesy of Shutterstock.
I would say it got better, overall. Much of the murkiness comes from the fact that general awareness has been raised over the past few years.
While we may be seeing “bigger hits,” in 2014, much can be attributed to more active approaches to monitor and detect. There were few things, this year, that were “new” to the security world. Businesses and private persons have become more active to thwart such things and protect their privacy.
The coverage in the media about “Cyber Attacks” is also “new” to 2014. When you look at the PSN hack, that wasn’t nearly as widely spread outside of PSN users and Cyber Security circles.
Most people wouldn’t relate LoD or Decepticons to anything aside from their cartoon/comic counterparts. Now you have groups, like Anonymous, making statements on social media. (Be it hacktivist groups or purely malicious groups pining for glory/work.)
So, overall, I feel that things have gotten better. The presence in the media has brought fame/infamy to hacking and security issues, causing more people and companies to examine their own security and make changes.
Cyber Security has been getting better over the years. The loss of Corporate money eventually deters a slackness in security, and replacing those who are sitting on their Cyber laurels should have been the MAIN focus in the news. Though there have been vulnerabilities in software-hardware that have been breached, it was Worst practices that caused the ability of MAYHEM to take place.
And Microsoft have issued today another fix for a fix for a fix that didn’t work. This time it is aimed at IE11 that was ‘damaged’ by this month’s update. See KB3025390.
If you haven’t got it and have IE11, you need it.
There were some high profile wins, like the apparent defeat of the GameOver botnet, and some dreadful loses such as the Heartbleed bug
“losses”
Yeah, but then consider:
How long has heartbleed been in existence? Shell Shock? Regin? etc?
That’s why I went with better. I mean.. some of these were ID’d years ago and ignored or never investigated to fruition.
Is it a problem? Heck yeah.
Are there more high-profile stories? Heck yeah.
Are they new attack vectors? Not really.
It appears worse, because more and more attention and awareness has come during the past few years.
The question is difficult to fully rationalize. It is like asking a blind man how his vision is, after just having restorative surgery. What is he to base his answer off of if he’s never seen before.
Here, the populous is becoming more aware and enlightened to the “dangers” out there. Gov’t spying, malicious attacks, phishing, etc… Twenty years ago, people would relate hacking to “Wargames” or “Hackers” (both great movies for different reasons. 😉 )
They weren’t concerned with the same security issues as they are today. As technology advanced and we became more dependent on all of these networks, we’ve entered into an area blindfolded.
The most common response, I heard over the years, was “Those guys aren’t interested in me. I don’t need to do anything.” Now, people are looking into password managers, VPN’s encryption methods, etc.. and generally being more cautious with their information.
I like to think of it similar to the OSHA standards. When I first entered the civilian workforce, I went around with our safety team and spoke with the OSHA rep. I’m paraphrasing here, but basically he said: “The OSHA rules are written in blood.” Meaning, every rule came out of someone being injured or killed. That is what we’re seeing here in the Cyber Security world.
It, like the OSHA rules, are not a “positive” thing. That being, something bad had to happen to someone, thus causing a change in how we do things.
The fact that we are changing and we are raising awareness and we are finding these things.. That is a move for the better.
25 years of Shell Shock…. 25 YEARS. I mentioned the potential exploit (not called shell shock at the time) to a client and they shrugged it off. When it hit the news this year as “ShellShock” they came running for a solution to fix this “hole in their security.”
So yeah.. it looks bad, this year, but it looks bad because people are paying more attention. Aside from a few high profile cases, I don’t feel it is any worse than previous years (And honestly… who knows how much was pilfered in years where IT would buy a stock Firewall, make a few minor mods, and call it a day? How much went unreported, when people didn’t know (or care) about what to look for.)
I’d say the actual security posture is little changed, meaning exploits known to hackers have not yet been completed exploited. On the upside, CEOs, CTOs and CIOs now know their jobs are at stake which means more investment in security and hopefully in a few years time we’ll start seeing results in operations as contracts start pushing liability out to third parties and in house cultural changes take hold…hopefully
Worse – although possibly our perception is catching up with a longer running reality.
The classic bad-guy malware threat to our personal computers is probably reduced because we are becoming more aware / suspicious and are keeping our on-computer protection up to date,
but:
(1) We are beginning to realise that there a new group of “bad-guys” that threaten our privacy and who may have privileged back-door access to our communications (or the brute force technical/legal power to access via the front-door). We are beginning to realise that “privacy” is layered and in some layers is non-existent.
(2) People who hold our data are being targeted and they (users of POS terminals, cloud providers, e-commerce companies etc.) seem to be cavalier in their approach to security of our data. We are beginning to realise that we have to ask more questions of the corporates with whom we deal – and that they probably won’t know the answers.
Depends from what aspect you are coming from. Security technology and practices are better but use of security by organizations has notably been worse.
In the US, Cholera ended up saving millions of lives over the last 100 years by killing so many thousands back then that we finally got around to installing proper sewer and drinking water systems in cities. But it wasn’t until it was a horrible in-your face-epidemic that we did anything, even though we knew the solution for a long time (at least 50 years by that time). Like the OSHA standards mentioned above, we don’t make hard costly decisions until we’re really faced with the calamity of apathy.
I don’t think security got better in 2014. But I do think we’ve finally had a cyber-epidemic terrible enough to force us to do something. I think security will start to get better in 2015 and 2016 because of it. More than specific cyber security laws (which will never be agile enough), we should change liability and loss laws. If a business had to pay actual damages to consumers, or $100 dollars to anyone they lost the data of (card holders, PII, whatever), I think we’d see a whole lot more security a whole lot faster.