NEWS ANALYSIS: The trends are very clear, and they point to a year that will be exceptionally challenging for IT security professionals.
In any given year, there are a number of IT trends driven by evolutionary factors with leading indicators that are present in the prior year. Looking into the crystal ball to see what's in store for IT security in 2015, there are some clear trends that emerged in 2014 that serve as harbingers of security trends in 2015.
User Credentials Require Stronger Authentication
Simply put, a username and password are the keys to the kingdom. There is a near endless array of vectors that attackers use to attempt to steal user credentials.
Among the common attacks are phishing exploits, where an attacker sends an unsuspecting user a seemingly legitimate-looking email. That email may include some sort of attachment, which could infect a user, or some incentive to click on a link that will lead to the credential theft.
In 2015, expect to see user credential attacks persist and grow in volume as exploit kits provide increasingly sophisticated tools to enable attacks.
From a defensive perspective, the use of strong authentication such as two-factor verification is important to mitigate the risk of user credential attacks in 2015. The FIDO (Fast Identity Online) Alliance finalized
its specification for strong authentication on Dec. 9, which could help usher in a new era for user credential security in 2015 and beyond.
Privilege Escalation Escalates
One user credential should not be enough for an attacker to completely take over a system. With many data breaches, attackers leverage a user credential as the point of entry into a network and then pivot with the use of a privilege escalation exploit to get valuable data.
In 2015, expect to see an increasing number of privilege escalation flaws revealed and patched by vendors. Also expect to see new technologies and techniques emerge to help secure enterprise directory systems and role-based access controls. Among the likely candidates for improvement in 2015 is Microsoft's Active Directory, which is widely used across enterprises.
Microsoft acquired privately held security firm Aorato on Nov. 13 in a deal that brings in new technologies to help secure Active Directory. In July, Aorato had publicly reported
a high-impact flaw in Active Directory.
Unpatched Flaws Continue to Be Exploits
Time and again over the course of 2014 and prior years, there have been reports of data breaches that were caused by known exploits for vulnerabilities that had already been patched. It's a trend that will continue in 2015 as software complexity and the volume of software patching continue to grow.
One of the ways that vendors in 2015 will aim to mitigate the risks of unpatched flaws is by automating the patching process. Google has had fully automated Chrome browser updates for years, and Adobe has also given its Flash users the choice of automated updates. By removing user delay and the need for manual updates, automated updating will increasingly become the norm in the coming year.
Information Overload Is a Risk
One of the key challenges that many IT security professionals faced in 2014 was information overload. Given the dizzying array of security technologies that an enterprise can deploy and all the signals that can be sent, finding the relevant security information is no easy task.
A trend that was evident in 2014 and will likely grow in 2015 is vendors and technology platforms aiming to limit the risk of information overload. Getting more value out of existing technology and making sense of data to achieve better security outcomes will be a goal for many in 2015.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.