Home / / Reduced Windows exploits in 2015, says Sophos

Reduced Windows exploits in 2015, says Sophos

Vendor's head of security research outlines top predictions for next year

Lyne: The security industry needs to evolve to deal with IoT devices
Lyne: The security industry needs to evolve to deal with IoT devices

Exploit mitigations will reduce the number of useful vulnerabilities that cyber-criminals can take advantage of in Microsoft Windows, according to James Lyne, global head of security research, this week.

In a report highlighting his top cyber-security predictions for 2015, Lyne said that, because Microsoft has invested in exploit mitigations, writing attack code for Windows is becoming more difficult.

"As the difficulty of exploitation increases, some attackers are moving back to social engineering and we also see attackers focusing on non-Microsoft platforms," he said.

However, Lyne warned that cyber-criminals will also pursue other attack vectors in 2015, most notably with the proliferation of the Internet of Things (IoT). He said that IoT attacks will move from the proof-of-concept stage to becoming mainstream risks, due to the fact that manufacturers of IoT devices failed to implement basic security standards in 2014.

"Attacks on these devices are likely to have nasty real world impact. The security industry needs to evolve to deal with these devices," Lyne advised.

Lyne also predicted that attackers will increasingly focus on mobile payment systems in 2015, though he added that, due to few holes being found in these systems, they will also stick to traditional payment fraud for a while.

"Mobile payment systems were the talk of 2014 after Apple stormed ahead with Apple Pay. Cyber-criminals will be looking for flaws in these systems, but the present designs have several positive security features," he said.

"Expect cyber-criminals to continue abusing traditional credit and debit cards for a significant period of time as they are the easier target for now."

Lyne's report also said that encryption is becoming more of a default modus operandi among organisations, despite law enforcement and intelligence agency protests.

He added that the global cyber-security skills shortage is becoming more critical and broadly recognised by governments and industry. He said that the gap is growing larger, with some governments forecasting that they will need until 2030 to meet the present demand for security professionals.