A few security considerations for 2014

Share this article:
Fred Kost, vice president, security solutions marketing, Ixia
Fred Kost, vice president, security solutions marketing, Ixia

Again, it's the time for the annual “doom and gloom” security outlook for the coming year. Understandable, when after a busy season of attacks it seems likely that next year will only bring worse. It is certain there will be vicious attacks that steal data, cause disruption, and garner headline coverage in 2014 – but the outlook isn't all bad. If you take a look at a few of the current technology trends, there are bright spots that demonstrate how to better prepare for security in 2014.

Encryption goes mainstream

Next year will be the year that encryption really goes mainstream. Encryption technology has existed for hundreds of years, but 2013 saw its use blossom. Encryption advancements and greater use were spurred by things like cloud adoption, revelations about the National Security Administration (NSA), and well publicized data breaches. Search providers started the trend by using SSL for searches – and now they, along with email providers and applications, are all moving to use SSL. Why? It's a simple way to protect data from those who might be trying to see or steal that data.

This increased use of encryption may make users and organizations feel safer or better protected, but what about the effect on the network and applications? The data has to be encrypted and decrypted at the endpoints, and then has to traverse gateways and proxies. If an organization has policies for inspection and logging, traffic needs to be inspected to enforce those policies or monitored for improper data leakage. An organization must also inspect encrypted traffic to make sure it isn't carrying hidden attacks. This broader use of SSL encryption makes testing key in ensuring high application performance. Testing also validates your networks against malicious attacks, as hackers may try to take advantage of the increased use of encryption.

Going beyond the username and password

2014 will be the year we see more pervasive use access control going beyond just the username and password. These have been around forever (although, not as long as encryption and ciphers), and it is clear they are showing signs of fatigue and vulnerability. Humans always have trouble creating usable (read: memorable) yet secure passwords. With the number of passwords they must manage, password hygiene continues to deteriorate. Rainbow tables for cracking passwords, the use of the same password across many sites and applications, and weak encryption for stolen passwords is driving the need for additional authentication factors.

Today, two-factor authentication is being used for some applications – requiring an additional input that only the user knows, or employing a “token” of some kind. But unlike hardware tokens which are not integrated into our every day lives and are easy to misplace, the smartphone is ubiquitous and a great way to provide two-factor authentication. The authentication can be an automated text message or phone call, or even an application or a virtual token that resides on the device.

Using smartphones for two-factor authentication, however, can have side effects. Attackers may shift more energy to mobile malware or attacking mobile devices. Up until now, attacking mobile devices may have been harder than attacking a personal computer, but that is changing.

Taking BYOD to the next level

In 2014, bring-your-own-device (BYOD) will push organizations to adopt a major IT policy shift. Mobile devices have been rolling into the enterprises for years, fueled by the consumerization of IT – the latest devices show up at home first, then to the office. To ease this shift, some organizations have deployed mobile device management (MDM), some have deployed overlay technologies to do encryption and data protection, and some have deployed web security in the cloud to protect users and devices from the internet. Some have just said “no.”

Many organizations have started developing policies on what devices will have access, what they can access, and what kind of network connection they can establish. Organizations must embrace some level of BYOD in 2014, and for most it will mean allowing a diverse set of devices onto the network. The good business reasons for this include shifting the device cost to users, allowing access to business critical applications to get work done more productively, and improving employee morale and retention. But the BYOD shift puts two challenges on an organization: defining a BYOD policy for some level of control, and making sure that applications can be delivered reliably over both wired and wireless networks.

If the three trends are not enough to keep you busy in 2014, rest assured that attackers will continue to develop clever malware techniques that target the increasing use of new IT technologies (new devices, cloud, social media, web applications). Information security just works that way, whether you call it a game of cat-and-mouse or measure-countermeasure.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in 2013 Reboot Viewpoints

Book of Lists

Top 8 threats in 2013

In what seemed to be the year of the financial hack, we've compiled a list of what we believe are the top eight threats of this year.

Top 3 law enforcement actions of 2013

While it may always seem like a cat and mouse game, the cat catches up every once in a while. Here are what we believe are the top 3 law enforcement actions of the year.

Top 5 legal developments in 2013

From the introduction of "Aaron's Law" to legislation being passed to curb the threat of cyber espionage, here are the notable legal developments of 2013.

Top Products

"Best Buy" products in 2013

A collection security products that the SC Labs team labeled as the "Best Buy" solutions in 2013.

"Recommended" products in 2013

Here's a list of all of the security products that our SC Labs team recommended this year.

Reboot Poll

More in 2013 Reboot Viewpoints

Five highly unofficial IT security predictions for 2014

Five highly unofficial IT security predictions for 2014

While year-end security predictions generally fail at accurately predicting much that wasn't an already a foregone conclusion, they're really more about we know right now, and there is value in ...

A growing threat: Privileged user abuse

A growing threat: Privileged user abuse

Chief information officers across the country are keenly aware of the threat not only to their intellectual property, but ultimately to their bottom line.

DevOps: Today, tomorrow and secure

DevOps: Today, tomorrow and secure

Will 2013 be remembered as the year that DevOps accelerated into the IT mainstream or became just another trend that died in the "hype cycle"?