Looking ahead: Cybersecurity in 2015

January 15, 2015

A score of highly pub­li­cized data breaches in 2014 has moti­vated Pres­i­dent Barack Obama to announce that strength­ening cyber­se­cu­rity will be one of his administration’s top pri­or­i­ties in 2015, with a par­tic­ular focus on iden­tity theft and improving con­sumer privacy.

We asked William Robertson, a web secu­rity expert and an assis­tant pro­fessor with joint appoint­ments in the Col­lege of Com­puter and Infor­ma­tion Sci­ence and the Col­lege of Engi­neering, to explain what we can expect from cyber­se­cu­rity in the new year.

Some of the biggest cybersecurity news in 2014 centered on the continuing rise of state-sponsored malware; more large-scale breaches at retailers, financial institutions, cloud providers, and government agencies; leaks that provided more insight into the scale and sophistication of government surveillance; and the discovery of serious vulnerabilities in foundational security protocols. There aren’t easy solutions for any of these issues, either because of limitations in our technical abilities to automatically find and eradicate vulnerabilities at scale or constraints that prevent the application of known technical mitigations.

However, broadly speaking, I expect we’ll see researchers working in earnest on defenses—and more proof-of-concept attacks—in all of these areas. And, there are already practical improvements rolling out that can help users to defend against some of these attacks—for instance, the increasing availability of two-factor authentication as well as the increasing sophistication of these systems.

Our group will investigate space and time complexity vulnerabilities. Many of the attacks we see today use memory corruption flaws or other straightforward techniques to directly hijack control of programs in order to carry out attacks. But an interesting class of vulnerabilities that we believe will become more prevalent in the future concerns the question of whether an adversary can directly attack the algorithms implemented by a program, a significantly different problem that could lead to asymmetric denial-of-service or disclosure of sensitive information.

It’s postulated that as more of the security research that defends against lower-level issues such as memory corruption percolates into deployed systems, attackers will refocus their efforts on higher-level vulnerabilities such as space and time complexity attacks. Our research aims to help the defenders stay one step ahead of the attackers in this area.

One area that I believe will become extremely important in 2015 and beyond is the security of the Internet of Things. The IoT is a buzzword that refers to the push to provide connectivity for everyday devices: home security cameras, baby monitors, thermostats, home appliances, lighting systems, and door locks.

Major players are already forging ahead in this area; Google with its Nest thermostat and Apple with its HomeKit integration framework come to mind. Of course, this connectivity carries a risk, as the network now becomes a potential attack vector. And we have already seen attacks that allow miscreants to remotely hijack security cameras to spy on people, and there was a well-publicized incident where a baby monitor was hacked and a couple was berated by obscenities.

On the flip side, there are privacy concerns that arise when considering that these devices are sometimes managed by, or at least provide data to, third parties. Therefore, we will see strong interest on the part of researchers in improving the security of these devices as well as defending against privacy leaks in the year to come.