At the beginning of every new year, vendors and tech pundits alike look ahead to what’s next for IT security. While I understand the need to do so to help identify coming threats and emerging trends, the simple truth is that for the vast majority of IT users (and people reading this column), emerging threats are not the primary risk—rather, it is existing threats that should be the prime concern.
Cyber-crime is a business and, like most modern businesses, speed of infection and economies of scale are critical to success. That’s why exploit kits, be it Angler, Rig or otherwise, were popular in 2015 and will be popular for years to come. With an exploit kit, a would-be attacker gets access to a bundled package that enables easy exploitation of users. An exploit kit is not a one-off tool, but rather is intended for mass exploitation. The path to that exploitation, more often than not, is a vulnerability that has already been patched by the impacted software vendor.
Just because a software vendor has issued a patch doesn’t mean a vulnerability isn’t still being exploited. Take your pick of industry studies that report on patch rates, but no matter which report or statistic you look at, the vulnerability patch rate in 2015 (or any year ever) has never been 100 percent—or anywhere near that. End-user patching is a nontrivial concern and a significant challenge. The patching challenge isn’t a new trend for 2016, and it wasn’t a new trend in 2015 or 2014, but it’s the root cause of a large volume of breaches in any given year.
To be fair, the challenge of patching will be easier in 2016 than it was in past years. It is now an increasingly common best practice for many operating system and application vendors to provide automated update mechanisms. Among the best examples is Google’s Chrome browser, which by default provides automated updates. Adobe’s Flash and Acrobat Reader also provide automated updates, as does the popular open-source WordPress content management system.
Other technologies, including operating system vendors like Microsoft with Windows and Apple with OS X and iOS, do not have automated updates by default, but they all try to inform users in a clear manner when it’s time to update.
There are, however, many applications that don’t have automated update systems and aren’t properly integrated with operating system-level notifications. The issue of integrated updates is simplified in some cases through the use of app stores; for example, OS X, iOS and Google Play provide users with a single interface to update apps. The same is true with Linux servers and desktops for users who install packages from their Linux distributions software repositories.
With non-automated updates, it is incumbent upon the user to check to see if an update is available. That’s not a new challenge, and it’s one that will continue to be a risk in 2016.
What never ceases to amaze me, though, is how often I find outdated software (even on my own systems sometimes) that somehow evaded automated updates or my own semi-regular update checks.
The issue of updating isn’t always about user inaction either. A real risk in the mobile world today is unsupported Android phones that no longer get security updates from handset vendors. A further risk comes from Android handset vendors that aren’t keeping up with the new monthly update cycle from Google. In the last six months alone, Google has issued 93 patches for different security vulnerabilities. While Google has made all of the patches available to its handset partners, not all of those vendors have in turn issued timely updates to all impacted devices.
So to recap, there are myriad vulnerabilities disclosed in any given year across desktop and mobile operating systems and applications, and not all of them are patched by users. The result is a vast orchard of low-hanging fruit that attackers can seemingly pick off at will with exploit kits. That’s not a new trend for 2016, but it is an unpleasant truth.
Another unpleasant—and persistent—truth in IT security is that the weakest link is often the user password. Again, not a new trend, but one that has existed since the dawn of modern IT. What has changed in recent years is the increasing use of two-factor authentication (2FA) systems to provide a second layer of protection. As I’ve said many times to many groups of people, no one would live in an apartment in New York City and only have one lock on the door, so why would you secure your online account with a single password?
Often, attackers in a database breach walk away with usernames and passwords. For those accounts that have 2FA, the information isn’t nearly as useful and the risk is reduced. This is a lesson not new to 2016, but it is one that needs to be relearned year after year.
The other large concern for IT security in 2016, as it was in 2015, 2014 and for more than a decade, are common classes of vulnerabilities. On the server side, the ancient issue that continues to yield data breaches is SQL injection. With SQL injection, an application doesn’t properly perform input validation for a database. There are many tools that organizations use to scan for SQL injection, and the fix is often a few simple lines of code.
Certainly, there are new zero-day threats that do emerge, and no doubt a few will show up in 2016. But when it comes to breaches, my humble prediction is that the vast majority in this calendar year will come from known issues that can be mitigated.
When looking at IT security in 2016, don’t shy away from learning about new threats, but don’t forget to first look at existing risks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.