Practical safety: trends and forecasts-2015

As the readers of this blog could notice, our research center has significantly expanded the scope of its interests in the past year. We talked about the vulnerabilities of mass web applications and the possibility of hacking ATMs, about attacks on complex industrial management systems and small personal gadgets. But 2014 is over, it's time to take stock: note the key trends in the field of information threats and protection against them, and also present your forecasts for the development of these trends in the new year.

THREATS-2015

(1) Insecure open source. One of the big problems of last year is the vulnerability of common open source libraries and systems ( Shellshock , HeartBleed ). In the popularity of these programs, the idea that “open source is more reliable” than proprietary codes played a significant role. And since the mentioned vulnerabilities relate to the basic components of many systems, they will still make themselves felt this year. However, this does not mean that there are more reasons to trust the “closed codes” - you need to check both. In particular, the replacement of open BIOS with Intel EFI may already this year lead to the emergence of the first EFI Trojans and bootkits.

')

(2) A mobile phone is a godsend for a spy. Last year, we finally made sure that in order to intercept or track down mobile subscribers it is not necessary to be a special service with a huge budget. Mobile communication contains many vulnerabilities at all levels, from the old protocol of the SS7 signaling network to the most modern 4G modems . Simple technology for a variety of attacks is already available to the public, so the number of scandals with unsafe mobile communications in 2015 will increase significantly.



(3) Too public terminals. The fashion of the last years is payment and information terminals that allow you to automatically take money and personal data from citizens in different strange places, from bicycle rental to the clinic. As our tests have shown, in most of these terminals, you can exit the "kiosk" mode into the operating system and do anything there — from stealing money to building botnets. Similar problems with ATMs: the abundance of vulnerabilities in operating systems allows you to install any devices and programs in the ATM. As a result, there will be more cases of automatic withdrawal of money in strange places this year, and the black personal data market will continue to grow by leaps and bounds.



( 4) Internet contagious things. Usually the horror stories of the “Internet of Things” are presented as follows: a malicious hacker remotely connects to home robots, electric hobs and water taps. Yes, we also have such forecasts. But this, frankly, is not about Russia-2015. In the coming year, attacks in the opposite direction will become a more serious threat. That is, outgoing from a variety of new-fashioned gadgets that we connect to our "basic" computers via USB, Wi-Fi, Bluetooth or NFC, to transfer some information or just to charge. What looked like solitary oddities last year - a contagious iron, an electronic cigarette with a virus, and spying through a fitness bracelet - will happen much more this year.



(5) Process control system in cold water. Over the past two years of working with SCADA systems, Positive Technologies has discovered more than 200 zero-day vulnerabilities, including vulnerabilities in popular control systems from Siemens , Honeywell , Schneider Electric , Emerson , Yokogawa, and other companies. Trends in this area is the topic of a separate article, and here we only note the most significant. Firstly, the number of industrial control systems to which there is access via the Internet has greatly increased, and the owners do not realize how well their resources are “visible from the outside.” In our studies, the capabilities of automated process control system attacks through Kiosk mode and cloud services, via sensors and physical ports, through industrial Wi-Fi and other types of access, which are often not considered at all as threats, are shown.



Secondly, the gap between the speed of detection and the speed of fixing vulnerabilities is growing. Many bugs in the process control system have not been eliminated for years; but, as the Critical Infrastructure Attac k competition showed on the PHDays IV forum, it is possible to find several serious vulnerabilities in a modern SCADA platform in just a couple of days. As for Russia specifically, we would recommend paying particular attention to the safety of the oil and gas industry and the space industry.



(6) Deep drilling. Even non-professional hackers can now conduct serious attacks due to the availability of automated tools that, once created, are used many times in different areas. In particular, multistage “matryoshka” attacks, consisting in consecutive capture of connected and embedded systems, various “computers in a computer” - such as in a “ SIM-card, modem, laptop ” combination - can become a noticeable nuisance of the coming year.



Another matreshsechny version in which antiviruses are helpless: this year we can hear (publicly) about attacks on turned off computers via Intel AMT, HP iLo and other embedded control technologies that work even when the main processor is “asleep”.



(7) Cyber ​​War, now officially. Accusations of the involvement of the authorities of individual countries in cyber attacks have been heard before. But it seems that in 2014, these accusations gained a high official status. On the one hand, the US authorities directly accused China and North Korea (and threatened right there). On the other hand, Symantec experts blamed the “major Western power” in just as plain text of creating the Regin trojan spy . In 2015, we can expect the continuation of the military scenario: retaliatory strikes by official cyber troops, the exchange of cyber-military prisoners and so on. And the wider public may be faced with cases of Internet blockade, including options “for their part” (exercises or other preventive measures).

PROTECTION 2015

(1) Iron Mobile. Despite all the revelations of the NSA's total surveillance , mobile operators did not respond to these horror stories. This year, they will just as calmly go about their business, competing in who will give users a cheaper (and not at all secure) mobile communication. But you can expect interesting movements on the other hand: the development of the market of "blackphones", "cryptophones" and other means of personal protection for mobile communications.



(2) Proactive application protection. Classical signature-based protection methods do not deter modern attacks, so solutions that eliminate vulnerabilities before an attack will be more actively implemented. These include the automation of secure development (SSDL), a combination of various methods of analyzing code, automating the testing of vulnerabilities by generating exploits, and closing gaps before fixing code using virtual patching. More details about this forecast can be found in our presentation for Gartner .



(3) Born Identification. Since last year there were a lot of scandalous leaks of personal and other confidential data from Internet services, now they will be zealously protected. In particular, through alternative forms of identification, such as USB tokens and other inventions of the FIDO alliance. It is worth noting that at the last hacker conferences (such as 31C3) they happily show hacking biometrics (fingerprints, etc.), although some believed that this would be the “next level” of identification systems. So, rather, it will move towards multi-factor identification. Remember how in a pioneer camp or in a student hostel forced to sing and dance the person to whom the letter came?



(4) The exchange of minds. As noted in the Threats section, one of the trends of recent years has been the rapid dissemination of information about vulnerabilities, as well as exploits and other hacking tools. It is quite logical that the idea of ​​a symmetrical response has long been developing among IB specialists: instead of fencing, it is worthwhile to establish the exchange of information about threats (Threat Intelligence). It would be nice if each 0-day found would immediately fly apart as a virtual patch across multiple firewalls. Over the past year, a whole range of frameworks have appeared for such an exchange - from independent ( Mantis ) to completely branded ( Facebook ThreatData ). And some even visualized their threat intel on the world map ( KSN ). However, it is difficult to say that the exchange of such data has already earned seriously. Similar doubts are raised by the service-cloud security model, which offers to send its traffic for testing to mysterious uncles from the side. It seems that it should be cheaper, but sharing your data with outsiders is scary. But it is possible that in this crisis year, "cheaper" will be for many an essential argument.



(5) Integration, synergy and confusion . Vulnerability Assessment systems expand their functionality by acquiring features of other classes, such as SIEM, APT Protection or Remediation Management. Similar integration will take place with other security systems, since the joint work gives obvious advantages. For example, if a firewall works with code analysis tools, it can automatically verify suspicions of vulnerability. And the use of antiviruses allows the screen to capture not only single attacks, but also their development — say, the spread of a malicious program. However, such integral solutions will have their disadvantage: they will become difficult to evaluate and compare within the framework of a single class of products. This will complicate the problem of choice for the client ... so the whole modern classification of information security solutions will require a radical revision.



(6) The demand for specialists. Just not the fact that we are talking about "security experts" in the classic sense. After all, significant work will be performed by automated security systems. At the output they will give 100,500 alerts, logs, tables and diagrams. Someone will have to understand these streams of inhuman messages. In other words, the shamans who are experts in analyzing Big Data on the guts of animals will be very necessary. By the way, according to one of our studies , in large Russian companies, the management trusts its information security specialists more than international security standards. This is another proof that shamans will be in demand.



(7) Stricter legislation and “road tests.” The press will make a lot of noise about the laws on personal data and in general the "tightening the screws" of the public Internet. Although from a professional point of view, more significant changes may occur in the area of safety standards of the automated process control systems and other critical systems - especially in the light of new sanctions and the course on import substitution. It is clear that many things (for example, foreign “iron”) cannot be replaced at once. However, the growing distrust of foreign decisions will lead to an additional level of control, when “import” security is checked by domestic systems.



PS If we suddenly forgot something, you can continue this list of predictions in the comments.