The Websense security labs is out with its predictions for 2015. You can download them here:
Websense has made 8 predictions for this year. Please read the report for details. Here, I try to analyse them in the Indian context.
1. Healthcare will see increased data breaches:
Healthcare data contains valuable tidbits for an attacker and can open new attack vectors. However, in India, significant numbers of healthcare records are not digitised. Individual healthcare providers have implemented their systems to maintain healthcare records. However, there are hardly any central databases. There is also a lack of consensus on standardisation of medical terminology. This (although dated) article provides an interesting link to the challenges faced by India for digitisation of medical records. Most healthcare service providers, though, just maintain their own databases in either bespoke or off-the-shelf healthcare software. This data does not contain the juicy bits that are desired by an attacker - the financials, the insurance links, etc. I am not sure what an attacker will do by knowing the last time I had an upset stomach and what the doctor ordered.
2. Attacks on the Internet of things:
Websense says that the attacks on the Internet of things will be targeting business systems and not our domestic devices. In India, large corporates do use the Internet of things - from the traditional SCADA control systems to the latest fad - monitoring security cameras from the Internet. However, it is not very prevalent yet. Most large industrial systems are only just starting to get connected to the Internet. Most of them today use computers that are not connected to the Internet, thus reducing the attack surface. I feel that the increase in attacks in this area in India will remain the same as last year or increase only slightly.
3. Credit Card Breaches:
Websense says that credit card attackers will morph into information dealers trying to sell identity theft devices. I believe that credit card fraud will rise in India this year. The increase in the use of plastic combined with a dismal lack of knowledge about safe usage of credit cards will lead to more social engineering attacks and more credit card breaches. I feel this is an area where the information security industry should focus a lot more on training and awareness. Well written guidelines on the usage is a starting point. I really appreciate DBS for creating an educating series about information security. This is the beginning of the rise in banking and card thefts. Banks - please do more to educate your customers.
4. Mobile Device threats:
Websense feels that mobile devices attacks will be targeted for credential stealing rather than direct attacks. The attackers will target mobile devices because they are conduits to the cloud. Couldn’t agree more.
India’s premier online retailer, Flipkart, is considering stopping its website and doing business only on the mobile platform. Such is the penetration and usage of mobile phones in India. Almost 75% of Flipkart’s traffic come from the mobile platform.
In India, this will be a key attack vector. Large scale acceptance and use of mobile apps along with poor security design will make this a juicy attack vector in this year.
In my previous posts, I have been very vocal against BYOD: You can read the posts here:
I am slowly coming around. The usage of personal mobile devices creates a lot of value and adds lots of vulnerabilities to organisations. Organisations in this space need to focus on creating better code for mobile apps, better end user education - and they need to STOP creating apps that ask for so many UNNECESSARY permissions!
5. Open source vulnerabilities:
Websense thinks that more bugs like the Heartbleed and Shellshock will emerge. Well, remains to be seen. My judgement says this year might not be a year of the open source bug like 2014, but will be a year of bugs with the biggies like MS and Apple. Shall we compare notes next year Websense? Whatever the trend, it will not be very different in India as compared to the rest of the world.
6. Email threats:
Email threats, says Websense, will take a new level of sophistication. I am not sure what that really means. Does it mean that people will see more social engineering attacks? If so, I would agree. More spam? I would disagree. Websense seems to think that more spam will be delivered to inboxes this year. Again, I do not believe so.
7. Cloud Services:
More usage of cloud services means more attacks coming from the cloud. Attackers will place malware command and control infrastructure in the cloud. Ok, interesting point to make. I am not sure how this works, so cannot make any comments on this, but it seems quite plausible. It might be an interesting attack vector and we need to explore security along this attack vector in detail.
8. More players at the cyber war table:
No brainer. Completely agree with Websense on this one. A big woe is that India is lacking in cyber security and warfare initiatives big time. Here is an interesting article by Praveen Dalal.