Security News No One Saw Coming In 2014

John Dickson shares his list (and checks it twice) of five of the most surprising security headlines of the year.

It has begun…

No, not the over-the-top holiday shopping advertisements and 24/7 commercialization on the run-up to Christmas. I’m talking about the over-the-top 2015 IT predictions lists and 24/7 prognostications that bombard our screens on the run-up to the new year.

Every year I get a kick out of these: The lists get more entertaining, the predictions range from the obvious to the absurd, and the list makers more numerous than college football bowl games. We’ve even taken a stab at the prediction-making game a couple of times ourselves, but quietly found out we weren’t too great at it.

So instead of cranking out another pro forma list of annual predictions, I thought it would be fun to look back in time, not too far, to identify the top security news events in 2014 that no one saw coming. The intent here is to add a little levity to the annual prediction body of work and, at the same time, try to provide some perspective on key events that transpired this year. Come along…

1. Symantec declaring AV is dead!
In May, Symantec VP Brian Dye declared to The Wall Street Journal that anti-virus was, in fact, dead. Of course, after reviewing Symantec’s financials and realizing that AV represented roughly 40% of the company’s revenue, Brian decided to clarify his remarks. I would have loved to have been a fly on the wall in the CEO offices to witness the discussion prior to those clarifications. Of course, if Symantec would have open-sourced its AV software and updates — that would have been real news! Or maybe real news will be made in 2015 when an enterprise client finally rips out AV after complaining about it for so long. That, too, would be news. Unfortunately, most CISOs will continue paying their AV and malware tariff and continue griping.

2. NSA staying out of the news (mostly).
Compared to 2013, when Edward Snowden seemed to be releasing revelation after revelation on a weekly basis, NSA and its new director seemed to stay mostly out of the news this year. I’m not sure if Snowden ran out of juicy bits on his thumb drive or if NSA got better at crisis communications, but the result was that there was less sensational news from America’s most famous/infamous ex-pat. Throw in the fact that ISIS seemed to overrun most of Iraq and Syria over a three-day weekend, and the public seemed more interested in finding out how we deal with ISIS than a grumpy former NSA contractor camping out in a less-than-friendly country.

3. Target firing its CEO after a breach.
I said on Twitter May 5, 2014: “The day information security became real for CEOs across the world.” Although many a CIO and CISO have been fired due to breaches, not until Target’s Board of Directors let Gregg Steinhafel go earlier in the year had a CEO been terminated as a direct result of a data breach. I do believe this got the attention of non-IT executives and boards of directors across the country and will be viewed as a watershed event for the industry. No one saw that coming.

4. Heartbleed and Shellshock’s impact on software and hardware manufacturers.
Up until Heartbleed and Shellshock, security near-death experiences had been the sole domain of banks and other financial services companies or retailers. After these back-to-back vulnerability events, software and hardware companies realized how widely they had implemented the OpenSSL cryptographic library and UNIX bash shell in their products. Most big OEMs were sent scrambling to remediate the problem, which can be an enormous challenge for the larger companies in the crowd.

5. Russia taking out its Crimean frustrations on JPMorgan Chase.
Perhaps only the most astute foreign policy and security analyst would have connected the dots here, but there is increasing evidence that the Russian government and the organized crime syndicates that call Russia home have been cooperating on the JPMC attack. Many observers view this as a tit-for-tat response for Western sanctions levied against Russia after the annexation of the Crimea into the Russian Federation — not too different from resuming their Cold War bomber flights off the coasts of the US. Most Americans can’t find Crimea on a map, but they certainly can find their local JPMorgan Chase ATM and are not happy that the Russians might have found it, too.

These are only five security events that no one saw coming in 2014. No doubt there are likely more gems out there. Feel free to comment below and add your favorite. And feel free to tweet your most over-the-top security predictions for 2015, too: @johnbdickson.

Originally written for Dark Reading

About John Dickson

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson

Leave a Reply

Your email address will not be published. Required fields are marked *