The future of internet security

What the threat landscape will look like in the next five years

CYBER CRIME IS A MULTI MILLION POUND business. In the UK alone, the Cabinet Office estimates the cost of cyber crime to be in the region ￡27bn every year, and that number is only snowballing as we move towards a society where everything and everyone perpetually relies on information, and nothing is obscure.

We have become almost entirely dependent on the continued availability,
accuracy and confidentiality of information and communications technology. But as well as significant benefits, this has enabled old crimes to be committed in new and more subtle ways, meaning that as tech progresses, so do the criminals relying on it.

Cyber crime, hacks and data breaches are becoming more prevent, and within the last couple of years, they have hit some of the world's biggest service providers. It's now not a matter of if your company will get breached, but when, and what can be done to try and prevent the inevitable.

Security has now passed well beyond hacking for fun and is now often fuelled by the potential to obtain large quantities of money without physically robbing a bank. Major conglomerates are being targeted, and real people are having their personal information and finances put at risk every day.

So in five years' time, as technology becomes even more pervasive and cyber criminals find it even easier to take advantage of organisations that at the same time are taking more security precautions, how will the threat landscape look?

A revolution in the ad industry
CEO of internet security software company Malwarebytes, Marcin Kleczynski, believes that one of the biggest upcoming security threats we are at risk from is malware being uploaded to users' computers without them even having to click on anything, through online advertisements built into webpages.

"There are many vulnerabilities out there that are probably being used for things we don't even know about; let's take internet explorer (IE) for example. There's millions of lines of code, thousands of engineers worked on it and none were perfect," said Kleczynski.

"The attacker looks for code that isn't secure and a lot of these vulnerabilities are in apps that consume content, so IE consumes a webpage and shows you the pretty logos. But if a hacker can find the vulnerability and what content will make it ‘choke', you can then craft that content and an IE page."

Kleczynski says this is a very creative way of delivering malware today and it's becoming more popular because the user doesn't realise it is happening.

"If there's an advertisement on a webpage and it is being served by DoubleClick or Yahoo for example - companies that serve billions of ads per day - for them to sanitise billions of these ads [is a big job] and a criminal can just keep uploading malware until one leaks through," he explained.

"So if you go to [a webpage page] and IE loads the page and without you even clicking on it, it consumes the code it needs to show you the ad, and while doing so, it consumes it improperly, thus executing the criminal's code, which means ‘go download some malware instead of displaying the ad'."

As a server of the content, Kleczynski explains that the webpage hasn't been hacked, it's just serving the malware, and so doesn't detect that anything is wrong but as a result, the reputations of whoever let the ad through are at stake.

People are increasingly moving towards ad blockers due to these concerns, Kleczynski notes, which isn't good for those organisations that rely on advertising to make money, so he believes in the next year or two there will be a revolution in ad networks and publishers.

"It's all automated now, via real-time bidding and its so cheap for a criminal to use so I think over the next two to three years there'll be a revolution in the ad industry because if these hackers continue to infect millions of people a year, they are just going to move to ad blockers, and then what?"

Millions of pounds worth of advertising revenue will be lost if something isn't done by the advertising networks, so it is likely we will see big changes in that space in the coming years.

Passwords to biotmetrics
The password has been the bane of any internet security professional's life for quite some time now. People use over simplified words so that they can remember them, and consequently, they are put at the risk of hackers.

Security specialist at ESET, Mark James, thinks the biggest problems facing the internet security industry in the next five years will be moving away from passwords and embracing biometrics or an alternative process for authentication instead to try and make everything more secure.

"We will need to get away from simple password access and utilise one of the many processes that secure a second or third layer to protect against unauthorised access," James explains. "With the massive amount of data being stored in the cloud or on someone else's server it has to be better protected and that has to start with user access. There's no use encrypting the data or storing it on super ultra-secure servers if gaining access to those resources is still the simple password."

ESET predicts that as our daily lives become more monitored, stored and managed by the world around us, everything will be tailored to our needs and for that to happen access will have to be granted to that data to make sure it fits.

"The exchange of that data is where we need to have the strongest procedures in place, protection of that data should be placed higher than availability," adds James. "The worrying concern is the need to have things sooner rather than safer. We the public demand access to technology as soon as it's available but we need tighter control on making it safe and secure first before it can be exploited or made vulnerable to attack."

Founder of Goode Intelligence, Alan Goode, sees there being a growing desire from the banking industry to adopt convenient methods of biometric security processes to verify the identity of their customers.

"This is creating the conditions to drive the adoption of biometrics in banking even higher," Goode says. "Banking adoption of biometrics is creating a booming biometrics industry with biometric vendors experiencing tremendous growth on the back of the escalation of consumer-led adoption of biometric authentication."

However, this will not just be in the form of biometric security as seen in Apple's Touch ID fingerprint technology for instance. Biometric technology will soon be making much use of hand geometry as well as facial and voice recognition.

The Internet of Things
With the gradual integration of the Internet of Things (IoT) into everyday life, there is a danger that people won't perceive the new risks that come with doing things they have always done. Integrating technology into everyday objects that have previously not been digital and connected to the internet poses new risks. Therefore, security could have an even bigger impact on people's privacy.

"The number of devices that are collecting data about us are increasing," said principal security researcher at Kaspersky Lab, David Emm. "I think it's important that this data is only accessed by those with a legitimate right to do so, for example, that they are secure from hackers, and that consumers have the right to control that flow of data, or disable it."

Emm also believes that through IoT there will also be a significant impact on business.

"If I work from home, on the same network as an insecure IoT device, there's a danger that I become the weak link in the security chain of my employer. For example, my work device is compromised via my home network and I bring the vulnerability into the work place," he adds.

Security researchers also believe that the growing use of the cloud is a potential concern. As organisations and consumers place vast amounts of data in the hands of cloud providers, which offers great convenience - such as access at all times from any device - there's a danger that people outsource the responsibility along with the storage of the data.

"In the next five years, organisations will need to consider the security implications of someone else holding their data," explains Emm. "They need to assure themselves of their cloud provider's security in just the same way that they would if they were storing the data themselves."

This includes protecting endpoints - the point of access to corporate data - and providers needing to take adequate steps to protect their infrastructure, including ensuring that data is encrypted in case there's a security breach.

F-Secure security researcher, Sean Sullivan, adds, "Security has typically taken a backseat during production due to costs and the majority of future internet connected things will be produced on razor thin margins.

"Security is a cost that will definitely be avoided in the rush to market. You can count on that. And that is going to significantly alter the security landscape."

By Lee Bell