It’s the end of the year and time to reflect on the events of 2014. There were some high profile wins, like the apparent defeat of the GameOver botnet, and some dreadful loses such as the Heartbleed bug – but what was the final score?
Did the forces for good win, lose or draw in 2014?
It’s a big subject and there are many, many points of view. So we’d really like to read about your perspective on the year just gone – what did you think of computer security in 2014? You can vote in our poll and leave your thoughts on the year in our comments.
To whet your appetite I asked our regular contributors to give you some food for thought, starting with me.
It seems to me that popular, mature software is getting harder to crack with encryption, bug bounties, responsible disclosure and frequent, predictable – often automatic – updates increasingly accepted as best practice. We know how we should be writing software, even if we’re not all doing it yet.
Users remain our Achilles’ heel though – year after year, we continue to choose terrible passwords and to click on links and attachments we shouldn’t, and 2014 was no better.
So long as security is reliant on good behaviour from users who adapt at a slower rate than software, we’re standing still at best.
Mark is founder of independent web consultancy Compound Eye.
I’d say things have got better, although not necessarily more secure just yet.
It may feel bad that there have been so many horrible vulnerabilities in vital software, epic leaks of all sorts of personal data, awful privacy decisions by sites and services people trust, mass doxing of celebrities, huge scams and frauds and lots and lots of general misery, which in themselves are of course not a good thing.
But the scale and frequency of incidents this year feels like it has really pushed us over a tipping point and made security a topic everyone is thinking about, rather than just a few specialists.
People everywhere, from technophobic moms and pops to tight-fisted business leaders, are starting to realise the dangers they can stumble into, and are making efforts to make themselves more secure. In the long run that means fewer easy targets and more demand for better protections, so eventually everyone will end up safer.
John Hawes is Chief of Operations at Virus Bulletin and sits on the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO).
This year has been a mixed bag. We won some battles on the privacy front with an increasing number of websites using HTTPS as a default.
It also appears we fatally wounded the GameOver/CryptoLocker infrastructures.
Like high-waisted “mom” jeans, macro viruses are back making us wary of opening Word documents again. Hipster beards and fixies seem to be going strong and so does ransomware. Now we have viral ransomware with hybrid action mechanisms. A little dose of the old sprinkled with some new flavour.
It appears as though we are also staring down the barrel of 64-bit malware which is giving us something new to worry about. Let’s not forget that (really) old code though! Something written 20 years ago by someone with a different kind of beard is now front page news with a catchy name, a website and a PR agent.
It certainly was a bad year for retail but a great teaching opportunity on how not to do security. So it seems awareness is increasing but we still have a long way to go before we can claim any kind of decisive victory, so let’s call 2014 a draw.
John Shier is a Senior Security Expert at Sophos, a popular presenter at security events and a hands-on technical guru for Sophos partners and customers.
The Snowden rash keeps itching, and the industry’s immune system is kicking in to make this a year where security took some performance-enhancing drugs.
Big tech is hosing itself down trying to rid itself of any whiff of government collusion, as in, perish the thought that we knew about backdoors allowing law enforcement to prance into our products. Or, as Google and Apple would put it, Encryption-R-Us. Good stuff for consumers, unless of course the US government succeeds in stabbing warrantless search to death once and for all.
Cyberbullying got a tiny bit better in some corners, such as Facebook apologising to the LGBT community over its real-name policy and promising to fix its cluelessness over the importance of pseudonyms in protecting people from harassment and violence.
But it was still damn hard to be a teacher. Or a kid. Or a female game developer. Or a victim of cyberbullying, bomb threats, stalking, Sony or Sony-like data doxing, or nude photo theft and publishing.
Let’s not pat ourselves on the back for a job well done just yet. There’s still an enormous amount of work to be done to make the internet a more safe place for all.
Lisa Vaas is a freelance technology writer and former executive editor of eWeek whose credits include CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and HP’s Input/Output.
The 2014 computer security glass is half-empty because…
We spent a lot of time in 2014 energetically repeating the worst blunders of 2013. Case in point: malware breaches on point of sale networks via the same holes we had last year, including contractors or vendors with pathetically insecure remote access to our own networks. “Those who cannot remember the past are condemned to repeat it,” so it’s time to stop living in the past!
The 2014 computer security glass is half-full because…
We’re ready to try out security procedures that we rejected last year. Case in point: two-factor authentication. Two or three years ago, lots of people were telling us that they weren’t willing to put up with inconvenience to help someone else do security better. Today, we’re hearing the same people saying, “Where is it? Bring it on!” It’s great that we’re no longer living in the past!
Paul Ducklin is Naked Security’s security-proselytiser-in-chief and winner of the inaugural ‘AusCERT Director’s Award for Individual Excellence in Computer Security’ in 2009.
2014 was the year that the data breach went mainstream. From JP Morgan to Home Depot, Victoria’s Secret to Sony, the news was filled with ever-increasing stories of doom, payment card theft and personal information exfiltration.
But you know what? There is a silver lining.
Security awareness is still in its infancy and mainstream news coverage may just prompt users and organisations to choose stronger passwords, review security policies and adopt a non-checkbox approach to security standards and regulations.
So while 2014 hasn’t been a great year for computer security, I do have some optimism for the new year ahead.
Lee Muson is a writer, social media manager and founder of the popular computer security website Security FAQs.
That’s enough fence-sitting from our writers, now tell us what you think!