By: Jeff Hurmuses, Vice President and Managing Director, Asia Pacific Barracuda Networks
2014 witnessed a number of high-profile threats, with bugs such as Heartbleed, Shellshock, and Cryptolocker causing quite a few alarms and disruptions to many Developers, System Administrators and online security experts around the world. The Shellshock bug in particular was so fluid and complicated that experts estimated it to potentially affect half of the websites on the internet.
As we move into 2015, it remains important to remain vigilant and prepared in lieu of impending threats and security risks. In our 2014 predictions that we made one year ago, we made the following predictions:
- Growth of network virtualization
- Security virtualization in the public cloud
- Online file sharing being embraced by corporate IT
- Growth in data and availability demands make cloud storage more appealing
- SMB next- generation firewall becomes cloud-connected
- End user and mobile app usage continues
- Cloud for offsiting, mobility and elasticity
For Barracuda’s security outlook predictions for the year ahead, we do expect the trends we predicted in 2014 to continue into 2015 with the growth of online file sharing and a growing reliance on cloud storage expected to continue making headways. Here are four additional security trends that we foresee developing in the year ahead:
Attack surfaces will change.
As companies move from physical to virtual to public cloud to SaaS, their attack surfaces change accordingly. An infrastructure upgrade may add multiple attack surfaces, all of which have to be secured. For example, companies that migrate from an on-site Microsoft Exchange Server to Office 365 have added a new attack surface across multiple threat vectors, including email and web application threat vectors.
We will continue to see threats across all vectors, with an increase in attacks related to mobile access and web applications.
Threat vectors also include email, remote access, web-browsing and network perimeters (which includes public and private clouds). Mobile internet is particularly vulnerable to phishing and social engineering attacks as mobile devices are constantly moving between secure corporate networks and unsecure home or public wifi.
There will be a continued rise in web application attacks and DDoS incidents.
The web application vector is the attack surface that is currently the least understood by most IT administrators and is generally the most exposed. Many companies attempt to secure this threat vector with the wrong technology, like a network firewall, which can protect Layer 4 protocols and even do deep packet inspection. However, truly protecting web application layer attacks generally requires terminating the HTTP or HTTPS protocols and often rewriting traffic to identify and mitigate threats. Just as a network firewall is not designed to stop spam, it is also not designed to stop web application attacks. This type of misunderstanding leaves the threat vector exposed to attack, and gives the administrator a false sense of security.
Any increases in IT security budgets will be insufficient for “business as usual.”
Administrators will continue to be required to do more work with fewer resources, and attempts to either “go without” protections along key threat vectors or to manage a patchwork of disparate security systems will leave their organizations at risk.