(Editor’s note: This list was compiled before last week’s OpenDaylight incident, in which an unresolved vulnerability led to the quick formation of a security team for the open source project. Then again, that problem didn’t have the reach of the issues listed below. You can read Keith Griffith’s coverage of the story here and here.)
From vulnerability disclosures that rocked the Internet to enterprise breaches of unprecedented scale, security issues blanketed the news in 2014. Here’s a look at the biggest network security stories of the year, and what they mean for the rapidly evolving field of software-defined security.
Heartbleed: An SDN Problem, Too
The April disclosure of the Heartbleed vulnerability sounded the alarm on network security. A critical flaw in OpenSSL, Heartbleed allowed attackers to pull memory data — including private server keys and user passwords — from servers running the widely used open source implementation of transport layer security.
Shellshock: More Bad News For Open Source
Heartbleed’s reign as the most critical, widespread network vulnerability lasted only until September, when Shellshock came to light. A set of flaws in the Unix command-line interpreter Bash, Shellshock allowed attackers to execute arbitrary code on unpatched servers — which at the time included most servers running Linux.
Rather than start an open source backlash, the vulnerabilities acted as reminders that open source software needs organized support. Donations to the OpenSSL Project skyrocketed in the wake of Heartbleed.
Hackers In The Fridge: SDN Security & the Internet Of Things
Ready or not, the Internet of Things is upon us. Cisco has jumped on the bandwagon, touting IoT on its latest earnings call and serving up a company blog devoted to connected devices. But security issues loom large.
In January, IoT got a made-for-headlines security story when hackers commandeered a smart refrigerator as part of a spam-generating botnet. As an SDNCentral contributor noted at the time, “a compelling NFV solution is the only possible approach to be able to begin addressing this looming problem.”
To put it another way: “The Internet of Things is going to be a major driver for SDN,” as Infoblox CTO Stu Bailey told NetworkWorld. “The only material that we have to combat an increasing complexity in IT systems is software. There won’t be an Internet of Things without software-defined networks.”
Poodle Attack: The Dangers Of Interoperability
The name may be cuddly, but the vulnerability has bite. An acronym for “Padding Oracle on Downgraded Legacy Encryption,” the Poodle attack exploited server and client fallback to the outdated SSL 3.0 encryption standard — which Microsoft in November estimated that 43 percent of websites use.
Though the exploit wasn’t nearly as serious as Heartbleed and Shellshock, it illustrated the potential dangers of backward compatibility and interoperability when it comes to security measures.
“It’s not going to take out the infrastructure of the Internet,” Johns Hopkins research professor Matthew Green told Reuters. “But it’s going to be a hassle to fix.”
2014: The Year Of The Breach
The massive Target breach last December was just the beginning. In 2014, hackers breached the internal networks of a slew of U.S. retail and financial institutions, including Home Depot, JP Morgan Chase, Dairy Queen, and Neiman Marcus. Over 81 million records have been compromised so far this year, according to the Identity Theft Research Center.
In many of the year’s high-profile breaches, attackers gained access to the data center using stolen employee and subcontractor credentials, a shift that experts say underlines the need for security beyond firewalls at the Internet edge.
“In the 90s, most breaches were around notoriety — intrusion for the sake of doing it,” Palo Alto Networks‘ Samantha Madrid told us recently.
“Now it’s about financial gain, being able to get into a network and pulling data that is very valuable. It’s a business.”