A Q&A gathering experts’ thoughts on the threats they considered important in 2014 and envision imperiling us in 2015.  

As we profiled our selection of luminaries for 2014, we asked a few pressing questions about what threats they struggled with in 2014 and what threats might prove daunting in 2015. Their answers might surprise you.

Jack Daniel, strategist, Tenable Network Security

What was the biggest security concern or threat this year?

I know I’m supposed to say “APT,” data breaches or one of the big vulnerabilities with a lot of media attention, but those are merely symptoms of the real threats. The biggest class of threats were complacency and distraction, as they have been for years, and will be for years to come. We all tend to ignore threats once we understand them, and get distracted by the latest security horror story- how else can you explain widespread buzz and panic over this year’s big news stories while we still haven’t significantly addressed authentication and other fundamentals? In recent research I’ve taken another look at things like the Ware Report [Willis H. Ware, a pioneer in the fields of computing security and privacy authored a 1970 whitepaper for the Rand Corporation, “Security Controls for Computer Systems”] and [Robert] Abbott’s RISOS work [(Research in Secured Operating Systems) Project, a DARPA-funded effort to define the meaning and boundaries of IT security]. It is clear that we have been able to define our challenges very well for several decades. Our ability to meaningfully address them, however, remains problematic.

What will be the biggest threat or concern of 2015?

Besides the perennials of complacency and distraction, I fear that breach fatigue will continue to grow and infect key decision makers. There will be new buzzwords, new vulnerabilities, and certainly new data breaches – but the big problem may turn out to be increased fatalism about our ability to defend ourselves with a resultant reduction in resources allocated to secure our environments. The good news is that calm, thorough, and rational analysis of the next big thing can drive rational reactions to the news and allow us to combat fatigue with facts.

Andrew Komarov, CEO, IntelCrawler

What was the biggest security concern or threat this year?

Point-of-sales infections have been a big topic for us this year. In addition to large infections like Target, many small retailers like gas stations and transit systems have been hit with card-scraping malware.

It seems the underground has figured out that committing resources to infecting the back office of brick and mortar merchants is very profitable. Many new bad actors are assembling into groups to share resources to look for the next Home Depot.

Our team has successfully identified new variants of the POS malware and their respective C2s and have mapped the growing global infections.”

What will be the biggest threat or concern of 2015? 

“The bad actors are actively researching cloud computing environments, starting from malicious code hosting and distribution, with the intent to not only compromise data, but more importantly to launch attacks from the cloud.

Point-of-sale cyber attacks will continue, as the retail industry is not ready to properly defend itself. The nature and structure of decentralized security in franchised-based businesses, added to insecure technologies and software, makes the merchants extremely vulnerable.

The growth of cyberattacks on critical infrastructures is expected, as more and more governments are actively increasing their cyberwarfare capabilities, for both geopolitical motives and active defense strategies.” 

Daniel Nutkis, founder and CEO, HITRUST Alliance

What do you consider the biggest threat of 2014?

Those are very tough questions to answer, and in 2014 we did witness a widening gap between the capabilities of cyber defenders (healthcare organizations) and attackers (threat actors) in the healthcare industry while experiencing an increased reliance on interconnected information systems and medical devices. It is tough to ignore the threats and risks cyber poses – HITRUST certainly hasn’t and has invested in programs to help industry in preparedness and response.

We shouldn’t lose sight of the fact that we have had cyber related threats ever since organizations began leveraging the Internet and related technologies.  In healthcare we have seen a steady increase in organizations implementing information systems and the amount of electronic information they store online, which corresponds to an increase in potential loss and impact in the event of a breach. Although cyber related breaches are on the rise, they still comprise less than those of other breach types, such as unencrypted mobile media or those introduced by employees and insiders. 

Organizations should not get distracted from the fundamentals of managing risks associated with health and other sensitive information. The information security foundations are still relevant relating to information management and data governance – measure, manage and communicate the risks. These foundations are prerequisites to being prepared to effectively address cyber threats and other threats that may emerge.

What do you think will be the biggest threat in 2015?

We recognize that the level of organizational maturity varies greatly across the industry and as such we see that a significant threat in 2015 for the healthcare industry is organizations not implementing and following strong information security principles. Given the wide adoption of the CSF and CSF Assurance program, HITRUST has empirical data to show that organizations that implement strong security programs reduce their level of information related risk.

Ari Schwartz, senior director for cybersecurity, National Security Council, The White House

What was the biggest security concern or threat this year?

Unfortunately, there were a lot to chose from. If I had to pick one, Heartbleed really changed the way that we respond to new vulnerabilities.

What will be the biggest threat or concern of 2015?

Taking a bit more of an optimistic tack here, I think that 2015 will really be the year that multifactor authentication (MFA) begins to take hold. We’ve seen a major increase in the commercial offerings usable MFA. Let’s hope we can look back and say that 2015 was the year the password was dealt its fatal blow in favor of MFA.

Alex Stamos, CISO, Yahoo

What was the biggest security concern or threat this year?

Since the Snowden revelations, we have seen an erosion of user trust in both tech companies and governments and we have been working very hard to restore this trust in Yahoo. In my mind, restoring trust means demonstrating two facts. First off, that technology companies are making decisions in the best interest of their users, and secondly that they have the technical capabilities to back up those decisions. 

What will be the biggest threat or concern of 2015?

The last several years have ably demonstrated that the traditional username and password authentication paradigm is not appropriate for the 21st century. We will continue to see username and password breaches affecting hundreds of millions of users in 2015, and the technology industry will need to adapt our methods to keep these users’ identities safe. I also expect that we will see more flaws in fundamental building blocks like Heartbleed and Shellshock. The impact of these flaws means that thousands of researchers worldwide, working for tech companies, governments, and criminal groups, are now looking at the decades old code that underpins the Internet. In the long run, open discovery of these flaws should make our systems more trustworthy, but in the meantime security teams need to prepare themselves to mitigate these kinds of bugs extremely quickly and without disruption to operations.