Practical safety: trends and forecasts 2015

As readers of this blog could notice, last year our research center significantly expanded the scope of its interests. We talked about the vulnerabilities of mass web applications and the possibility of breaking into ATMs, about attacks on complex industrial control systems and small personal gadgets. But 2014 has ended, it's time to take stock: mark the key trends in the field of information threats and protection against them, as well as present their forecasts for the development of these trends in the new year.
THREATS-2015
(1) Unsafe open source. One of the big troubles of last year is the vulnerabilities of widespread open source libraries and systems ( Shellshock , HeartBleed ). The popularity of “open source is more reliable” than proprietary codes played a significant role in the popularity of these programs. And since the vulnerabilities mentioned concern the basic components of many systems, this year they will make themselves felt. However, this does not mean that there are more reasons to trust "closed codes" - you need to check both of them. In particular, the replacement of open BIOS with Intel's EFI may already this year lead to the appearance of the first EFI Trojans and bootkits.
(2) Mobile - a find for a spy.Last year, we finally made sure that it is not necessary to be a special service with a huge budget to wiretap or track mobile subscribers. Mobile communications contain many vulnerabilities at all levels, from the old protocol of the SS7 signaling network to the most modern 4G modems . Simple equipment for a variety of attacks is already available to the general public, so the number of scandals with insecure mobile communications in 2015 will increase markedly.
(3) Too public terminals. The fashion of recent years is payment and information terminals, which allow you to automatically collect money and personal data from citizens in various strange places, from bike rental to the clinic. As our tests showed, in most of these terminals you can exit the “kiosk” mode into the operating system and do anything there - from stealing money to building botnets. Similar problems with ATMs: the abundance of vulnerabilities in operating systems allows you to install any devices and programs into the ATM . As a result, this year there will be more cases of automatic withdrawal of money in strange places, and the black market for personal data will continue to grow by leaps and bounds.
( 4) The Internet of Contagious Things. Usually the horror stories of the “Internet of things” are presented as follows: the evil hacker remotely connects to home robots, electric stoves and water taps. Yes, we also have such forecasts. But this, frankly, is not about Russia 2015. In the coming year, attacks in the opposite direction will become a more serious threat. That is, outgoing from a variety of new-fangled gadgets that we connect to our “base” computers via USB, Wi-Fi, Bluetooth or NFC in order to transfer some information or simply charge it. What looked like solitary oddities last year - a contagious iron, an electronic cigarette with a virus, espionage through a fitness bracelet - will happen this year much more often.
(5) ACS TP in cold water. Over the past two years of working with SCADA systems, Positive Technologies has detected more than 200 zero-day vulnerabilities in them, including vulnerabilities in the popular control systems Siemens , Honeywell ,Schneider Electric , Emerson , Yokogawa and other companies. Trends in this area are the topic of a separate article, but here we note only the most significant. Firstly, the number of industrial control systems that can be accessed via the Internet has grown significantly, and the owners do not realize how well their resources are “visible from the outside”. Our research shows the capabilities of ICS attacks through Kiosk mode and cloud services, through sensors and physical ports, through industrial Wi-Fi and other types of access, which are often not considered to be threats at all.
Secondly, the gap between the speed of detection and the speed of eliminating vulnerabilities is growing. Many bugs in ICS are not eliminated for years; but, as shown by the critical infrastructure attackk on the PHDays IV forum, you can find several serious vulnerabilities in a modern SCADA platform in just a couple of days. As for Russia in particular, we would recommend paying special attention to the safety of the oil and gas industry and the space industry.
(6) Deep drilling. Even unprofessional hackers can now carry out serious attacks due to the availability of automated tools that, once created, are used repeatedly in different areas. In particular, a noticeable nuisance of the coming year may be multi-stage “nested dolls” attacks, consisting in sequentially capturing connected and embedded systems, various kinds of “computers in a computer” - such as in a combination of “ SIM card, modem, laptop ”.
Another doll-friendly option in which antiviruses are helpless: this year we can hear (publicly) about attacks on shutdown computers via Intel AMT, HP iLo and other built-in management technologies that work even when the main processor is “sleeping”.
(7) Cyber war, now officially. Accusations of involvement of the authorities of certain countries in cyber attacks have been voiced before. But it seems that in 2014, these charges acquired a loud official status. On the one hand, US authorities blamed China and North Korea directly (and threatened immediately). On the other hand, Symantec experts have just as straightforwardly accused a “major Western power” of creating a Regin spy trojan. In 2015, the continuation of the military scenario can be expected: retaliation by official cyber troops, exchange of cyber military prisoners, and so on. A wider audience may be faced with cases of Internet blockade, including options “on their part” (exercises or other preventive measures).
PROTECTION 2015
(1) Iron Mobile. Despite all the revelations of total surveillance by the NSA , mobile operators did not respond to these horror stories. This year, they will just as calmly do their business, competing in who will give users cheaper (and not at all safe) mobile communications. But you can expect interesting movements on the other hand: the development of the market of “blackphones”, “cryptophones” and other personal protective equipment for mobile communications.
(2) Proactive application security.Classic signature protection methods do not hold back modern attacks, so solutions that eliminate vulnerabilities before the attack will be more actively implemented. These include Secure Development Automation (SSDL), a combination of various code analysis methods, automation of vulnerability checks by generating exploits, and closing gaps before fixing the code using virtual patch. You can read more about this forecast in our presentation for Gartner .
(3) Bourne identification.Since last year there were many scandalous leaks of personal and other confidential data from Internet services, now they will be eagerly protected. In particular, through alternative forms of identification, such as USB tokens and other inventions of the FIDO alliance. It is worth noting that at the latest hacker conferences (such as 31C3) they are happy to show hacking biometrics (fingerprints, etc.), although some believed that this would be the “next level” of identification systems. So it’s more likely that things will move towards multifactor identification. Remember how in the pioneer camp or in the student dormitory the person who received the letter was forced to sing and dance?
(4) Exchange of minds.As noted in the Threats section, one of the trends of recent years has been the rapid dissemination of information about vulnerabilities, as well as exploits and other hacker tools. It is logical that among the information security experts the idea of a symmetrical response has long been developing: instead of enclosing, it is worthwhile to establish an exchange of information about threats (Threat Intelligence). It would be nice if every found 0-day immediately scattered in the form of a virtual patch across many firewalls. Over the past year, a number of frameworks for such an exchange have appeared - from independent ( Mantis ) to completely branded ( Facebook ThreatData ). And some even visualized their threat intel on a world map ( KSN) True, it is still difficult to say that the exchange of such data has already earned seriously. Similar doubts are caused by the service-cloud security model, which offers to give their traffic to the mysterious uncles from the outside. It seems like it should be cheaper, but sharing your data with outsiders is scary. But it is possible that in this crisis year, “cheaper” will be a significant argument for many.
(5) Integration, synergy and confusion . Vulnerability Assessment systems expand their functionality by acquiring features of other classes, such as SIEM, APT Protection or Remediation Management. Similar integration will occur.and with other security systems, since collaboration gives obvious advantages. For example, if a firewall works with code analysis tools, it can automatically verify suspected vulnerabilities. And the use of antiviruses allows the screen to record not only single attacks, but also their development - for example, the spread of malware. However, such integrated solutions will have their minus: it will become difficult to evaluate and compare them within the framework of any one class of products. This will complicate the problem of choice for the client ... therefore, the entire modern classification of information security solutions will require a radical review.
(6) Demand for specialists.Just not the fact that we are talking about "security experts" in the classical sense. After all, significant work will be done by automated security systems. At the output they will give 100500 alerts, logs, tables and diagrams. Someone will have to understand these streams of inhuman messages. In other words,
(7) Tighter legislation and “roadside checks”.The press will make a lot of noise about the laws on personal data and, in general, the "tightening of the screws" of the public Internet. Although from a professional point of view, more significant changes can occur in the sphere of safety standards of industrial control systems and other critical systems - especially in the light of new sanctions and the policy of import substitution. It is clear that many things (for example, foreign “iron”) cannot be replaced immediately. However, an increase in distrust of foreign solutions will lead to an additional level of control when “import” security is cross-checked by domestic systems.
PS If suddenly we forgot something, you can continue this list of IB forecasts in the comments.