Infosec predictions for 2015

What fun would it be to end 2014 without a bit of speculation?
Without any further ado, here are my predictions for 2015:

Prediction 1: More data centric security

In 2015, I expect to see more tokenization, more end-to-end encryption and better key management.
At SecTor this year,  vendors were pushing various technologies for securing your data in the cloud. Encrypted containers, Tokenization as as service, and key management as a service are now all commercially available for a monthly fee.

This indicates that the industry is moving in a very specific direction towards securing data closer to the source. In 2015, I’m expecting to see more of that, which is a good thing.


Prediction 2: A serious breach with serious, real world consequences

I predict a breach on an embedded system either in the automobile or healthcare space, which will unfortunately have  the real world consequence of somebody getting seriously hurt.

If you follow any of security researcher Chris Valasek’s work, you know that modern automobiles connect their infotainment / navigation systems to the same CAN BUS used to communicate between the vehicles motor functions.

In other words, your bluetooth iPod connection, the steering wheel, and your brakes are going through the same communications channel. Imagine stomping on the brakes of a vehicle that refuses to stop. It’s already been done in a research capacity – it’s only a matter of time before someone with malicious intent actually hurts somebody.

On another note, Martin Fisher of Southern Fried Security predicted an attack on an embedded healthcare system that would seriously hurt a patient or worse, kill them. Think internet connected heart pump, or remotely controlled medical drip bag stops working because someone crashed it remotely… Scary.


Prediction 3: Industry wide adoption of automation and agile practices

Manual processes are prone to error, and we in the IT industry are finally getting wise to that fact.

I’m seeing much more widespread adoption of configuration management automation tools within the enterprise. The creator of chocolatey has joined puppet – which is an awesome piece of news for anybody working with Windows in the enterprise – and Microsoft has come out several times this year to guarantee us that they are fully on-board with configuration management automation and quicker feedback cycles with updates the OS itself (not just security updates!) being released every Patch Tuesday.

This means that they’re using more agile development practices to develop Windows. And it also means that ironically, now Microsoft is now playing catch-up with Linux.


Prediction 4: More complex, large scale, breaches

Pretty self-explanatory. I don’t even have to go back to the beginning of the year, just look at what happened in the last 2 months of 2014 to get an idea of what to expect in 2015:

Sony Pictures: A massive data dump of unprecedented scale, released at multiple intervals with much fanfare and political reactions both in the US and internationally. If this hadn’t already happened, it would sound like science fiction! But here we are, and the internet is quick to bring down the gavel against whatever party it deems guilty – be that an individual or an organization.

In 2015, I expect (unfortunately) more large scale breaches of this nature, with plenty of private data getting released publicly.

Regin Malware: In November and December of 2014, copies of this sophisticated malware were spotted in the wild. More research and more investigation lead to uncovering that GCHQ (among others) have been involved in developing it as a targeted multi-purpose data collection tool.

It was compared to Stuxnet, and a leading security company even called it one of the most sophisticated pieces of malicious software it has ever seen. Although it was developed long before 2014, it only came to the light the last month.

Who knows what will come to light in 2015?

This will be my last post of 2014. Stay safe online and have a very happy new year everybody!