2023 is going to be the year when cyber security becomes a business decision. From CISOs struggling to get tech funds sanctioned, the year will see the board of directors mulling over the possible business losses of not adopting the latest cyber defence processes.
The Cyber Express talked to cyber security experts and aggregated their insights on the possible stumbling blocks and stepping stones that businesses would face this year. which would ease a manager’s cyber decision process.
Cyber defence: Preparation is key
Organizations have been on the defensive against cyberattacks as they become more frequent and complex.
The cyber threat landscape is rapidly evolving due to digital transformation, and organizations must carefully consider the best approach for securing their critical data.
The “more is better” approach is not sustainable due to the vast number of systems that need to be secured. This approach would only be effective if an organization had an unlimited cyber security budget and resources.
Given the current economic climate, businesses are looking to streamline their budgets. To make informed cyber security investments that align with business outcomes, companies should adopt a “risk optimization” model. This will allow them to establish a targeted strategy for their cyber security budget.
The Cyber Express surveyed industry leaders and cyber security experts to gather their insights on the challenges and opportunities that businesses may encounter in the current year, in order to assist managers in making informed cyber decisions. Here is what cyber security experts have predicted for the year to come.
Dr Ian Pratt, Global Head of Security at HP Inc. |
---|
Rise in hijacking remote access sessions could result in high-value domain servers and cloud admin portals – or even physical OT environments – being breached
Session hijacking – where an attacker will commandeer a remote access session to access sensitive data and systems – will grow in popularity in 2023. Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.
By targeting users with elevated rights to data and systems – such as domain, IT, cloud, and system administrators – these attacks are more potent, harder to detect, and more difficult to remove. The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if Privileged Access Management (PAM) systems are being used to employ Multi Factor Authentication (MFA), such as smart cards.
If such an attack connects to Operational Technology (OT) and Industrial Control Systems (ICS) running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.
Session hijacking does not rely on exploiting a fixable vulnerability; it is about abusing legitimate and necessary functionality of remote session protocols – like Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA), and Secure Shell (SSH).
Strong isolation is the only way of avoiding these kinds of attacks and break the attack chain. This can be done either through using a physically separate system, like a Privileged Access Workstation (PAW), or virtual separation, via hypervisor-based approaches.”
Tom Van de Wiele, Principal Technology & Threat Researcher |
---|
Cheaper GPUs means more potential for experimentation and increased crime-as-a-service development
The change of some of the cryptocurrency consensus (e.g. Ethereum making the transition from “proof-of-work” to “proof-of-stake” which is more eco-friendly) and the market being able to catch up with demand has resulted in dropped GPU prices.
This means that more people will have access to powerful GPUs which can then be monetized. We will see increased experimentation as well as ML/AI that will be repurposed to criminal industries e.g. synthetic AI for written works and art.
But also deep-fake generation for video, audio and handwriting; as well as things where ML/AI is already being used for anti-cheat systems for the online gaming world and to devise bypass mechanisms to bypass the detection ML/AI e.g. player pattern analysis.
This means that companies and cyber security experts should slowly but steadily start prioritizing integrity as part of the data assurance equation and start assuming that just because an image, conference call screenshot or even a written e-mail or signature looks legit, doesn’t mean it is.
This means more pressure on PKI implementations or other cryptographic ways of establishing integrity and trust in order to avoid large scale phishing campaigns leveraging these kinds of novel manipulation methods
Year 2038 is closer than we think. Strap in and start preparing
We are slowly starting to see ‘Year 2038’ problems with a few expected but also some unexpected
impacts where technology plays a role. Anything where the year 2038 already plays a role e.g.
calculating of termination dates of contracts, expiry dates of warranty on larger purchases or in
the industrial world, etc.
The first 2038 problems we will see today and in the next few years leading up to 2038 will have to do with planning, tasking, PKI and other systems where future dates have to be used.
The media will make this a frenzy and might potentially blow it out of proportion, which is not necessarily a bad thing. In the case of Y2K, this was positive as it served as an awareness campaign because computers were fairly new to the mainstream population and the impact was limited because of the slow adaption but also because of the awareness.
The issue is that the world runs on C/C++ today far more than it ran on COBOL in 2000, as basically all of our major operating systems, libraries and software ecosystems run on C/C++.
This is not something that will just pass us by. Companies will have to perform a non-cursory review of all software used as part of their core business processes, find out what vendors and manufacturers are doing to start having the dialogue to anticipate any potential problems.
But also to make sure that processes are in place for reviewing the technology used by supporting services and third parties. Business continuity and disaster recovery planning will go up in the threat maps for most organizations, especially for those that have relied on smaller or bespoke software for which obtaining support is cumbersome, expensive or even impossible and for which alternatives will have to be sought and transitioned to.
Read more insights by Tom Van de Wiele in our latest issue. Subscribe now for free
Andy Zollo, Vice President EMEA at Imperva |
---|
Organizations will realize bundled cloud security tools aren’t fit for purpose
2023 will be the year we see organizations begin to question whether they are being too trusting of cloud security. They will increasingly realize that the cloud is not secure-by-design and that bundled security tools from cloud providers simply don’t cut it.
Despite initially appearing to be easy to use, enterprises are finding – to their cost – that the one-size-fits-all approach of many cloud services’ security offerings simply cannot fully protect data in the cloud. There will always be differences in circumstances that leave a gaping hole for attackers. Without putting in proper controls to secure the cloud, vulnerabilities and misconfigurations of cloud environments will be one of the biggest risks to data.
Enterprises and cyber security experts will see a thorough security audit as one of the essential steps to adopting any cloud service and ensuring that they have the right security and tools in place to meet their exact needs, instead of blindly trusting their provider. After all, it doesn’t matter how much money you save migrating to the cloud if you increase the risk of a costly breach in the future.
Read more insights by Andy Zollo in our latest issue. Subscribe now for free
Alex Holland, Senior Malware Analyst at HP Inc. |
---|
People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn
The 2009 recession saw surges in malware and online fraud. Since then, we’ve seen the rise of the cybercrime gig economy, where the shift to platform-based business models has made cybercrime easier, cheaper and more profitable.
Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit. As we face another global downturn, easy access to cybercrime tools and know-how could increase the number of attacks we see – especially attacks against home users by opportunistic cyber hustlers.
Home users may get caught in the firing line, as they are easier to compromise than enterprises. Cyber hustlers are likely to use simpler techniques, like scams and phishing – potentially capitalizing on the economic downturn by offering people fast ways to make money, like cryptocurrency and investment scams.
The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.
As attacks against users increase, having security baked into people’s PCs from the hardware up – so they can easily prevent, detect, and recover from attacks – will be essential. Our research shows that email is the most common attack vector, particularly for opportunists like cyber hustlers.
Isolating risky activities is an effective way of eliminating entire classes of threats without relying on detection. Threat containment technology ensures that if a user opens a link or attachment and something nasty comes through, the malware can’t infect anything.
This way organizations can reduce their attack surface and protect employees without hindering their workflows.
Andrew Patel, Senior Researcher at WithSecure Intelligence |
---|
Social networks will continue to have the same problems they have today
Existing social network companies will continue to inadequately address disinformation, online harassment, and the problem that recommendation mechanisms lead many people towards belief in dangerous conspiracy theories and extremist views.
YouTube will continue to be a vector for advertising scams, pushing harmful disinformation, and delivering malware. WhatsApp will continue to function as a good platform for delivering scams and malware. LinkedIn will continue to be an excellent tool for reconnaissance and social engineering attacks.
Adversarial machine learning attacks will still not be used in 2023
We first wondered whether haveibeentrained.com was using membership inference attack methodology against image generation models.
However, it turned out to be a simple similarity model derived from common training sets and their metadata. I still wouldn’t expect to see mainstream adversarial-machine-learning-attack[1]as-a-service operations in 2023.
Read more insights by Andrew Patel in our latest issue. Subscribe now for free