2015 CYBERSECURITY PREDICTIONS

THE YEAR 2015 IS GOING TO BE A LANDMARK YEAR FOR MOBILE.

W E ’ R E G O I N G T O S E E A N I N C R E A S E I N

PRIVACY CONCERNS, MALWARE IN THE U.S., AND iOS ATTACKS.

B U T W E ’ L L A L S O W I T N E S S

BIG CHANGES IN THE WAY THE WORLD THINKS ABOUT SECURITY AND THE TECHNOLOGY BEHIND THE PROTECTION

W E A L L D E P E N D U P O N A N D T R U S T .

LOOKOUT CO-FOUNDERS JOHN HERING AND KEVIN MAHAFFEY PUT TOGETHER THIS

LIST OF PREDICTIONS – THE WAY WE SEE THE MOBILE SECURITY INDUSTRY MOVING.

K E V I N M A H A F F E Y

There will no longer be a technology industry. All industries

will be technology industries.

AS THE DIGITAL SURFACE AREA INCREASES, SECURITY AND PRIVACY WILL BE CRITICAL.

In the past, there has been a divide between technology companies—Facebook, Google, Yahoo, Oracle—and the rest of the economy. !Getting a taxi, booking a hotel, watching a movie, listening to music, and buying a used car are all examples where technology is transforming industries that would not, in the past, consider themselves to be technology industries. !Existing companies will either turn themselves into technology companies or be disrupted by innovative competitors

J O H N H E R I N G

Privacy concerns will head to the enterprise.

ENTERPRISES WILL BE INCREASINGLY FACED WITH A SET OF COMPLICATED

CHALLENGES AS THEY STRIVE TO RESPECT INDIVIDUAL PRIVACY WHILE

KEEPING CORPORATE INTERESTS SAFE FROM ATTACKERS.

Regardless of who owns the device, smartphones and tablets have become innately personal, oftentimes housing personal photos and banking information alongside corporate data. That means that most employees want some level of control over the device. !Multinational corporations will have a particularly tough time as each country in which they operate has unique regulations and user expectations with regard to privacy.

Cybercrime will just be called crime.

K E V I N M A H A F F E Y

AS MORE VALUE IN THE WORLD IS STORED ON CONNECTED COMPUTING

DEVICES, THERE’S MORE INCENTIVE FOR CRIMINALS TO STOP STEALING

CARS AND START STEALING DATA AND MONEY FROM COMPUTERS.

In the past, crimes committed using computers were so rare relative to physical-world crimes that we gave them a fancy name, “cybercrime.” Today, prominent organizations are hacked on a weekly basis and as a result, millions of consumers are put at risk of identity theft and financial fraud whether it be through their PC or mobile device. !The Center for Strategic and International Studies estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $400 billion. This shift to online crime is a benefit and a curse. The curse is that breaches can be much more severe in the online world, but the benefit is that we have new tools such as predictive security to prevent crime and catch criminals that are not practical to deploy in physical-world crime.

United States will become more of a target for mobile malware.

J O H N H E R I N G

THE U.S. HAS TYPICALLY REMAINED SOMEWHAT REMOVED FROM THE MOBILE MALWARE AND THREATS

SEEN IN OTHER PARTS OF THE WORLD. THAT WON’T BE THE CASE FOR LONG.

NotCompatible, a kind of malware that turns phones into bots, targeted between 4 and 4.5 million U.S. smartphones this year. We estimate that U.S. phones were an attractive target because U.S. IP addresses are like a high-profile zip code. Having access to a range of them would give malware operators the legitimacy to target American entities, such as TicketMaster for scalping tickets. !We also saw hundreds of thousands of Android users in the U.S. affected by a particularly concerning form of malware called “ransomware” -- so named because it literally holds its victims’ devices hostage until they pay a ransom. Given the ransomware authors’ success in 2014, there will likely be more versions of ransomware introduced to the U.S. market in 2015.

Mainstream iOS attacks will increase.

K E V I N M A H A F F E Y

NO COMPUTING DEVICE IS IMMUNE FROM ATTACK; HOWEVER, SOME ARE LESS

FREQUENTLY TARGETED THAN OTHERS.

While targeted remote access trojans (RATs) and exploits have existed on iOS for years, now that iOS has gained significant market share around the world, criminals have begun targeting it more broadly. !For example, the WireLurker malware that was discovered in November monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party or malicious applications onto the device, regardless of whether it is jailbroken. This makes all iOS devices vulnerable, not just those that have been jailbroken. !As iOS continues to grow around the world, particularly in emerging markets, we’ll likely see more attackers focus their efforts on mainstream iOS users.

Companies will replace reactive security with predictive security.

K E V I N M A H A F F E Y

BREACHES OF HIGH-PROFILE COMPANIES HAVE BECOME THE NORM. THE SECURITY

STATUS QUO IN MOST ENTERPRISES CLEARLY DOES NOT WORK.

Anti-virus tries to identify attacks that have been used in the past, but attackers can slightly modify their code to get around signatures. Behavioral sandboxes installed on the network perimeter try to fool attackers into executing their payloads in a virtual environment, but either can’t identify sophisticated attacks or produce so much noise that they are unusable. !Early-adopter security organizations have started using large datasets and machine intelligence to predict attacks on their internal networks. Mobile and cloud will start to see predictive security get more widely adopted over the next two years.

Pre-installed malware will increase.

K E V I N M A H A F F E Y

AS LOW-COST ANDROID PHONES HIT THE WORLD MARKET AT MASSIVE

SCALE, ATTACKERS WILL START TARGETING THE SUPPLY CHAIN TO

PRE-INSTALL MALWARE ON DEVICES.

In the past year, Lookout identified two families of malware pre-loaded on phones, Deathring and Mouabad. Because pre-loaded malware is part of the “system” partition of a device, it is nearly impossible for ordinary users to remove it. !Such supply chain issues are particularly concerning to businesses who may have employees bring in their own, pre-exploited devices onto the sensitive corporate network.

Internet of Things/wearable devices will not be a priority

for cybercriminals… yet.

J O H N H E R I N G

IOT AND WEARABLES ARE NOT MAINSTREAM ENOUGH YET, AND

WON’T BE FOR ANOTHER 3-5 YEARS, TO BE SIGNIFICANT TARGETS FOR

CYBERCRIMINALS.

Today, cybercriminals remain focused on the most lucrative targets: PCs and increasingly, mobile devices. It will take multiple generations of wearables and IoT devices on the market to achieve the critical mass necessary for us to be highly concerned. !That said, connected devices need to be built with a potential threat top of mind, particularly given the amount of sensitive or personal information they have the ability to store and transmit.

Vulnerable apps will become a bigger problem than vulnerable

operating systems.

K E V I N M A H A F F E Y

AS DEVELOPERS SEEK TO CHURN OUT APPS FASTER THAN THEIR COMPETITORS, SECURITY

AND PRIVACY ARE OFTEN AN AFTERTHOUGHT.

As of January 2014, mobile apps (not mobile browsers) replaced desktop web browsers as the primary way people use the Internet. Mobile operating systems have been getting more secure over the past several years; however the attack surface due to mobile apps has increased. !Apps can contain vulnerabilities that put both their data at risk as well as open a hole for a network-based attacker to run arbitrary code on a device. For example, with a recent vulnerability (Android unsafe usage of addJavascriptInterface), Lookout measured over 90,000 apps that were likely vulnerable. This is an impossible patch logistics problem. Operating system patch cycles are still a problem, but the numbers are relatively tractable relative to the huge numbers of mobile apps.

For more mobile security information, follow