By Daniel Humphries, Software Advice
From the Target breach in late 2013 to the Sony hack this December, cybersecurity has been in the news repeatedly throughout the last 12 months. But how many of these stories were media hype, and how many were serious threats?
For this report, Software Advice selected six themes that received substantial media attention in 2014: the “Year of the Breach,” the Heartbleed bug, the death of antivirus, the rise of mobile malware, the threat employees pose to businesses and the recent upsurge in security spending. We then asked industry thought leaders and security professionals to decide which were “overrated” or “underrated,” and why.
This report will provide industry watchers and security professionals with insight into the effect of the biggest security issues of the past year, and shed light on what impact, if any, insiders feel increased spending on security solutions will have in 2015.
- Even after sustained media coverage, 56 percent of experts describe the overall “breachiness” in 2014 as “underrated.”
- Employees are the top concern of many security professionals, with 84 percent of respondents describing the threat they pose as “underrated.”
- The threat posed by mobile malware divides experts, with 50 percent describing it as “overrated” and 43 percent believing it to be “underrated.”
The ‘Year of the Breach’
The spate of data breaches at high-profile firms kept cybersecurity in the headlines throughout 2014. Target, Home Depot, eBay and Sony all suffered the consequences of successful cyberattacks, as did many other huge businesses. As such, 2014 was duly christened the “Year of the Breach.”
But breaches are not a novel phenomenon. A quick Google search reveals that 2013 received the same nickname; similarly, IBM declared 2011 the “Year of the Data Breach.” Bearing this in mind, we asked our experts to gauge the “breachiness” of 2014: Was it “overrated,” or “underrated”?
Expert Perceptions of the ‘Year of the Breach’
Strikingly, a majority of our experts (56 percent) feel that, in spite of the constant media coverage, the “breachiness” of 2014 is “underrated.” When asked to explain why, they supply a variety of interesting responses.
John Dickson, principal at application security company Denim Group, sees the primary significance of these breaches in their consequences for the C-suite: an argument made by several of the experts we interviewed.
“In 2014, for the first time, we saw a Fortune 500 CEO lose his job at Target directly as a result of its data breach,” he says. “I see that as a watershed event, because many executives began to believe that data breaches are not just a CIO [chief information officer] or CISO [chief information security officer] problem.”
Jonathan Voris, assistant professor of computer science at the New York Institute of Technology, says that the frequency of the breaches in 2014 was exceptional. He cites a study by the Ponemon Institute, which found that the average business is the victim of two successful attacks per week.
“The inability of organizations to address these compromises before they impact large numbers of customers underscores serious issues regarding the security of embedded devices, such as point-of-sale systems,” Voris adds. “It is very difficult to detect when such devices have been compromised—and once a compromise has taken place, it is hard to recover from.”
According to Brian Foster, chief technical officer (CTO) at threat detection firm Damballa, the breaches we hear about are just “the tip of the iceberg.” He adds that “there are untold numbers of other breaches you never hear about because they don’t fall under notification requirements. As 2014 demonstrated, breaches are a common occurrence, and the challenges are likely to increase since the chances of cybercriminals getting caught is low.”
Jeff Lowder, director of global information security and privacy at mobile solutions firm OpenMarket, says the “Year of the Breach” is “underrated” because necessary lessons have not been learned.
“I predict that 90 percent of Fortune 2000 companies that fail to take this issue more seriously, and implement capabilities that further prevent these breaches in 2015, will lose out on key business partnerships and fracture consumer trust in their brand,” Lowder says.
Conversely, Barry Shteiman, director of security strategy at Imperva, chooses “overrated.” Shteiman suggests that the reason we heard about so many breaches in 2014 was largely due to two factors.
“Companies didn’t have to disclose this kind of information in the past due to loose regulations,” Shteiman explains. “[In addition,] technologies that were able to detect those breaches either didn’t exist, or were not top-of-mind or deployed in companies.”
Cryptzone CEO Kurt Mueffelmann says 2014 is “overrated” because the worst is yet to come.
“When we look back at 2014, in relation to what we predict will happen in 2015 and going forward, 2014 will look like just an average breach year,” Mueffelmann explains. “If a company like JPMorgan—which spends $250 million on cybersecurity annually—can be breached, we are sure to see less-secured targets affected.”
Scott Montgomery, vice president and CTO, public sector at McAfee, worries that the “exhaustive” amount of press coverage has made consumers “absolutely numb to the challenge of Internet security and privacy at this point.” As such, he says, people “are looking at cybercriminal activity as being the ‘price of doing business’ rather than something we should [constantly] try to defeat.”
Ryan Naraine, head of global research and the analysis team at Kaspersky Labs, feels that 2014’s “breachiness” was “rated just right,” although he shares Montgomery’s concern about breach fatigue.
“Major data breaches have become quite ho-hum for people tracking security,” he says. “That said, it’s important to keep these stories on the front page to increase user awareness around identity fraud and the theft of sensitive data.”
The Heartbleed Bug
The Heartbleed bug (and its nifty logo) attracted massive media attention when news of this security flaw, affecting two-thirds of all websites, broke in April. Indeed, so alarmed was security guru Bruce Schneier that he declared the bug “catastrophic,” before adding that “on the scale of 1 to 10, this is an 11.”
In a Software Advice survey of responses to Heartbleed, however, we discovered that the crisis had passed much of America by: 67 percent of Internet users had not changed their passwords after three weeks of intense news coverage. Then the headlines faded away. So, was Heartbleed “overrated” or “underrated”?
Expert Perceptions of the Heartbleed ‘Catastrophe’
A majority of our experts felt the threat was “underrated.”
For instance, Dr. Engin Kirda, co-founder of breach detection and response firm Lastline, declares Heartbleed “the worst bug I’ve ever seen on the Web. It’s a really bad vulnerability that went undiscovered for so long and affected so many systems that it could have a security ripple effect for years. No one knows what damage was done, or continues to be done, as people don’t patch their servers. It’s possible that many security breaches—high-profile or otherwise—could have stemmed from this vulnerability, but we’ll never know.”
Rick Howard, chief security officer (CSO) at Palo Alto Networks, similarly describes Heartbleed as a “nightmare.” He explains, “The flaw existed in almost every public-facing Web server on the planet. In order to fix the issue, everybody on the Internet had to fix it at the same time.” Howard adds: “Not only did you have to patch your own assets, you had to make sure that all of your other Software as a Service partners patched their systems too. Then, in order to make sure that any credentials previously stolen could not be used in the future, everybody had to install new private keys. Finally, to make sure that adversaries could not use any stolen passwords, everybody on the planet had to change their passwords to those sites that they routinely visited.”
Kaspersky’s Ryan Naraine agrees with Schneier’s description of the bug as “catastrophic,” adding that its effect upon security professionals was particularly underrated “when you consider how much it has triggered a community distaste for unaudited software.”
However, Hushmail CTO Brian Smith says that while Heartbleed was “interesting and dramatic,” it was ultimately not always practical to exploit.
“The real significance of Heartbleed was that it made people get real about how many vulnerabilities—in software of all types—exist, and will probably always exist,” he says. “In particular, people have had to get real about the quality issues that open-source software has as much as proprietary software.”
Joe Stewart, director of malware research for the Dell SecureWorks Counter Threat Unit, splits the difference: “Heartbleed was neither ‘overrated’ nor ‘underrated.’ The flaw really was as bad as they said, but the industry reacted accordingly and mitigated the risk early. While it may never be completely obsolete, the threat from Heartbleed has been greatly reduced—precisely because of the attention it got.”
The Employee Threat
We didn’t only want to investigate headline stories, however—as all security professionals know, many traditional threats are as big a problem today as they ever were—if not bigger.
So we asked whether, as Rome-based cybersecurity expert Luca Sambucci puts it, “Your company’s worst security vulnerability is still located between the keyboard and the chair.”
Expert Perceptions of the Threat Posed by Employees
The overwhelming majority of experts feel that the employee threat is “underrated.” Indeed, we received more detailed and passionate responses on this question than any other.
For instance, John Brenberg, manager of information security and compliance at 3M, says that this particular threat is growing.
Since network and data security measures have become more sophisticated and harder to penetrate, he explains, “malicious parties have turned from hacking networks to hacking people.” As an example of how easy it is to do this, Brenberg cites “visual hacking,” where a criminal could enter the office under the guise of a vendor or building worker and visually record an employee’s device screen during authentication.
“[This] could then be used to gain access to a company’s networks and databases,” he says. “Visual hacking is a stealth threat vector—virtually untraceable, which makes it all the more dangerous.”
Ed Amoroso, CSO at AT&T, also feels that the employee threat is “underrated,” as “the majority of data breaches are still caused by employees, whether through negligence, social engineering or carelessness.”
However, Amoroso is optimistic that training can reduce that risk. AT&T’s own employee security education initiative has resulted in a decline in employee-generated security incidents; clicks on links in phishing emails decreased 54 percent in 2014.
Amoroso attributes the success of the program to rejecting “scare tactics” in favor of transforming security training into entertaining lessons.
Boatner Blankenstein, senior director of solutions engineering at remote support solutions specialist Bomgar, is concerned that the predominant feeling about insider threats, whether accidental or intentional, is still that “it won’t happen to us”—which can have catastrophic consequences.
“Businesses should be focused on adding security layers, leveraging a combination of proven technology and best practices,” he says. “Securing the ‘interior’ is just as important as securing the ‘perimeter’ of corporate networks and systems.”
However, several experts argue forcefully that the insider threat is “overrated.”
“We have been horrible in this industry at victim-shaming,” says Vice President of WhiteHat Labs Robert Hansen. “It is software that allows the victim to get compromised. We need to build better software that has security defaults enabled, and stop blaming users for not understanding our advanced configuration options.”
Jack Daniel, strategist at Tenable Network Security, suggests that although the risk is real, “Many ‘insider threat’ rants overlook the fact that employees are just doing their jobs, which are rarely to be secure—they’re there to do something to advance the organization’s goals. If it is hard for them to do their job securely, they will do it insecurely.”
Tim Sedlack, senior product manager at ForgeRock, advocates an approach based on validating authorization and access.
“Identity and access management (IAM) is critical,” he says. “IAM allows organizations to more carefully vet users [who] are accessing enterprise networks by considering additional factors such as location, IP address and time of day.”
The Death of Antivirus
Like the threat posed by employees, the “death of antivirus” is a classic theme in cybersecurity conversations. However, it went mainstream in May when Symantec’s senior vice president Brian Dye told the Wall Street Journal that antivirus “is dead.”
Then, a month later, well-known antivirus purveyor (and Symantec competitor) Eugene Kaspersky argued that “rumors of its death are greatly exaggerated.” So we asked our experts where they stand on the issue.
Expert Perceptions of the ‘Death of Antivirus’
Here, a clear majority opt for “overrated.”
“Certainly, antivirus isn’t going to be the tool in your arsenal that thwarts a determined adversary or the malware he targets specifically at your organization,” says McAfee’s Scott Montgomery.
“But that’s why toolboxes come with a variety of tools. You can’t turn screws with a stud finder, but why would you try? You use the specialized tools for the use cases where they’re called for. Antivirus is still the most cost-effective method of reducing the signal-to-noise ratio of attackers against your organization.”
Dell’s Joe Stewart agrees: “When people say ‘antivirus is dead,’ what they really mean is, the idea that antivirus can protect you from new and undiscovered threats is dead. Antivirus still protects you from millions of other previously discovered threats, so it continues to serve a purpose—even if that purpose no longer matches the marketing.”
Mike Weber, vice president of the governance, risk and compliance firm Coalfire Labs, says that Dye was misinterpreted, and that antivirus’ death was “grossly overrated, due to the headline-making quote. The phrase was intended to convey that signature-based antivirus alone is no longer sufficient. That’s been the case for years now.”
Rome-based cybersecurity expert Luca Sambucci agrees that definitions are important.
“The term ‘antivirus’ is obsolete, but vendors still use it because it’s easier for users,” he says. “In truth, antivirus programs are now full-fledged security tools that perform intrusion prevention, behavior-blocking, Web sanitization [and] spam/phishing alerts.”
However, Morey Haber, senior director of program management at BeyondTrust, says the so-called death of antivirus is “underrated.”
“Traditional signature-based antivirus is not sustainable for the future, with the exponential need for new signatures and heuristics to determine all the variations of malware,” says Haber, who agrees that newer technologies such as sandboxing, application control and least privilege can be used to compliment antivirus.
He points out, though, that some alternatives run afoul of compliance standards: “Regulations [such as] PCI do not accept other technologies, like whitelisting application control, as a replacement for antivirus. So the clock is ticking for what we know of antivirus today, and there is no substitute—yet.”
“The efficacy of antivirus can be as low as 50 percent,” says WhiteHat Labs’ Robert Hansen. “But it’s not just the efficacy that’s the issue—it’s also the opportunity cost. How much better could your dollars be spent elsewhere to protect your company? Yes, you should use antivirus, because it might help a little. But don’t spend money on it; use the free versions.”
The Rise of Mobile Malware
Like Godzilla emerging from the depths to breathe atomic fire on our smartphones, the purported rise of mobile malware also received a lot of coverage in 2014. So was this the year when mobile malware made its breakthrough, or was it simply the year when a lot of people wrote about it?
Expert Perceptions of the Rise of Mobile Malware
Here our results are close, although more choose “overrated” than “underrated.”
In fact, Rick Doten, security consultant and mobile security expert, casts doubt on the very existence of mobile malware.
“There really isn’t [such] a thing as mobile malware—it’s technical malicious mobile apps, or re-packaged legitimate apps that do bad things,” he notes. Doten adds that the risk is not significant if users get their apps from Apple or Google stores directly, noting that “almost all of the malicious apps come from third-party app stores.”
BeyondTrust’s Morey Haber shares Doten’s skepticism, saying that, “In reality, there haven’t yet been any widespread infections, vulnerabilities or exploits that owned large quantities of devices. Will it happen? Possibly. Staying up-to-date with security patches and maintenance is key.”
Concerns about the future lead Chris Silveira, manager of fraud intelligence at Guardian Analytics, to opt for “underrated.” According to Silveira, it’s a question of return on investment.
“As the value of the information stored in mobile devices increases and the types of transactions done on mobile devices become more valuable, compromising the device will become an increasingly high return on investment effort for criminals,” he says. “We have not seen much mobile fraud…yet. We have not seen mobile bots en force. They will come.”
Meanwhile, Kaspersky’s Ryan Naraine suggests that the threat is already on the rise: “In Q3 2014, Kaspersky Lab mobile security products detected 74,489 new malicious mobile programs—14.4 percent more than in the second quarter. These are mostly risk-ware applications, SMS-Trojans adware and spyware tools,” he says. The mobile ecosystem, Naraine adds, is “very vulnerable.”
The Increase in Cybersecurity Spending
Given the amount of attention lavished upon cybersecurity in 2014, it is perhaps no surprise that Gartner reports global spending on IT security reached $71.1 billion this year—a 7.9 percent increase over 2013. And Gartner expects the trend to continue, projecting that spending will reach $76.9 billion next year.
However, Target and J.P. Morgan Chase & Co. both spent a lot of money on security and still suffered high-profile breaches, while at the very end of the year, the deep-pocketed Sony Pictures experienced a catastrophic and humiliating hack. It thus seems natural to ask: Is spending more money as a solution to the cybersecurity problem “overrated” or “underrated”?
Expert Perceptions of the Efficacy of Increased Security Spending
Here, “overrated” wins more votes than “underrated”—and at times, the skepticism about increased investment is withering.
Jeff Williams, CTO of application security consultancy Aspect, describes the spending boost as simply a “cost of living” increase, adding that “Organizations spend 98.3 percent of their security spending on perimeter protection and antivirus that doesn’t work. Why would anyone think a tiny increase in spending on the wrong stuff would make a difference?”
Palo Alto’s Rick Howard also feels that the spending increase is “overrated.” He suggests that the upsurge was not a result of individual organizations spending more on security, but rather, that “More organizations that have not traditionally spent significant portions of their IT budget on security are starting to do so.”
Also skeptical was Jared Schemanski, SIEM specialist at managed security firm Nuspire Networks, who says that spending often means little more than “someone writing a check and saying, ‘We are good now, because we have done X.’”
What organizations need to do, Schemanski says, is to hire professionals to evaluate their business needs, their vulnerabilities and how to address them. A security strategy that is properly planned and implemented is an ongoing process—but one that will save the business both time and money in the long run.
Some experts defend the increased spend. Kevin Epstein, vice president of advanced security and governance at Proofpoint, feels that the increased investment is “underrated.” He suggests that the increase in expenditure is positive, because it indicates the C-suite is now paying more attention to security.
“It’s not just the spend, it’s the board-level involvement in that spend,” says Epstein.
Security expert and Forbes contributor Joseph Steinberg also chooses “underrated,” but stresses that, “As a society, we need to spend far more than we presently are if we want to truly be safe. I have personally experienced situations in which firms took low bids from vendors—bids that, to put it quite bluntly, are too low to achieve proper levels of security.”
And so, after a dramatic year, very few—if any—of our experts anticipate that 2015 will see a decline in attacks, breaches, hacks or discoveries of security vulnerabilities. In 2014, cybercriminals demonstrated again and again that they can break into enormous, well-funded corporations and cause serious financial losses—and even ruin the careers of CEOs.
However, we are not helpless in the face of criminals. As (most of) our experts agreed, traditional tools such as antivirus still have a role to play in defending a system against attacks. Meanwhile, effective training, enforcing best practices, hiring good staff and skillfully deploying advanced threat detection tools and IAM solutions can also help businesses operate more securely.
The year ahead may well be stormy, so it is more necessary than ever to take business defense seriously—and be prepared.
To find the data and views in this report, we conducted online and telephone surveys of 57 cybersecurity executives and professionals in November and December 2014.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.