Looking back on information security in 2014

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar.

2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced to reckon with staggering numbers of legacy platforms and code, primarily open source libraries that are embedded in just about every system and product we have. Heartbleed was the start of all this, but we saw one of the first really trivial remote code execution flaws in recent memory with Shellshock…all due to open source issues. Add in POODLE and other SSL/TLS flaws, and you’ve got a real mess on your hands. 2014 also saw an enormous number of breaches - from Home Depot in retail to eBay online, and finally the unbelievable Sony attacks happening right here in December, things could hardly get worse…or could they? The attackers are getting smarter, and malware is definitely getting more sophisticated.

Speaking of malware, 2014 really introduced us to the next generation of “ransomware,” namely in the form of CryptoLocker and CryptoWall. Many enterprise computing users fell prey to this type of malware, with files and operating system directories getting encrypted and/or deleted against their will unless a ransom was paid to the attackers. One company, Code Spaces, even went out of business from failing to pay an attacker that had compromised their infrastructure in Amazon Web Services. Obviously, the attackers are getting serious about getting paid, and organizations everywhere are having to come to grips with the reality that users and systems are at risk from willful and destructive actions should the attackers’ demands not be met.

One of the biggest stories in 2014 was “the Fappening”, or the leak of nude celebrity photos from iCloud accounts. While the leak of sensitive and private data was interesting in its own right, the bigger issue was really that of security controls (or the lack thereof) in cloud storage and other services. Why did Apple have such weak password and monitoring controls in place? Will it take major breaches to get anything built the right way or fixed in a timely manner? Microsoft caused a lot of consternation in 2014 by terminating support for Windows XP. Everyone knew it was coming, but it still hurt! Many legacy systems still require Windows XP, and it’s embedded in kiosk and POS technology, too. Along with the loss of Windows XP, we also lost TrueCrypt, one of the most popular and well-known Windows encryption tools.

Is antivirus dead? According to an interview in the Wall Street Journal with a Symantec executive, it is indeed. While we’ve been joking about this for years, hearing it from an AV exec certainly gave us reason to think about host-based security tools overall this year. 2014 wasn’t a complete bust - we foiled some botnets, indicted some nation state actors over criminal hacking activities, and finally figured out that yes, our connected refrigerators are in fact trying to kill us. OK, just kidding about the last one - but the Internet of Things (also called IoT) became a hot topic this year, and that won’t likely change.

Watch the On-Demand webinar below:

Hacks, Breaches, and Vulns, Oh My! Reviewing this Year’s Top Security Events and Planning for 2015 from BeyondTrust on Vimeo.