A score of highly publicized data breaches in 2014 has motivated President Barack Obama to announce that strengthening cybersecurity will be one of his administration’s top priorities in 2015, with a particular focus on identity theft and improving consumer privacy.
We asked William Robertson, a web security expert and an assistant professor with joint appointments in the College of Computer and Information Science and the College of Engineering, to explain what we can expect from cybersecurity in the new year.
Some of the biggest cybersecurity news in 2014 centered on the continuing rise of state-sponsored malware; more large-scale breaches at retailers, financial institutions, cloud providers, and government agencies; leaks that provided more insight into the scale and sophistication of government surveillance; and the discovery of serious vulnerabilities in foundational security protocols. There aren’t easy solutions for any of these issues, either because of limitations in our technical abilities to automatically find and eradicate vulnerabilities at scale or constraints that prevent the application of known technical mitigations.
However, broadly speaking, I expect we’ll see researchers working in earnest on defenses—and more proof-of-concept attacks—in all of these areas. And, there are already practical improvements rolling out that can help users to defend against some of these attacks—for instance, the increasing availability of two-factor authentication as well as the increasing sophistication of these systems.
Our group will investigate space and time complexity vulnerabilities. Many of the attacks we see today use memory corruption flaws or other straightforward techniques to directly hijack control of programs in order to carry out attacks. But an interesting class of vulnerabilities that we believe will become more prevalent in the future concerns the question of whether an adversary can directly attack the algorithms implemented by a program, a significantly different problem that could lead to asymmetric denial-of-service or disclosure of sensitive information.
It’s postulated that as more of the security research that defends against lower-level issues such as memory corruption percolates into deployed systems, attackers will refocus their efforts on higher-level vulnerabilities such as space and time complexity attacks. Our research aims to help the defenders stay one step ahead of the attackers in this area.
One area that I believe will become extremely important in 2015 and beyond is the security of the Internet of Things. The IoT is a buzzword that refers to the push to provide connectivity for everyday devices: home security cameras, baby monitors, thermostats, home appliances, lighting systems, and door locks.
Major players are already forging ahead in this area; Google with its Nest thermostat and Apple with its HomeKit integration framework come to mind. Of course, this connectivity carries a risk, as the network now becomes a potential attack vector. And we have already seen attacks that allow miscreants to remotely hijack security cameras to spy on people, and there was a well-publicized incident where a baby monitor was hacked and a couple was berated by obscenities.
On the flip side, there are privacy concerns that arise when considering that these devices are sometimes managed by, or at least provide data to, third parties. Therefore, we will see strong interest on the part of researchers in improving the security of these devices as well as defending against privacy leaks in the year to come.