In this Help Net Security interview, Gavin Reid, CISO at HUMAN Security, talks about the latest cybersecurity threats and how attackers are becoming more sophisticated. He explains the difficulties organizations encounter in detecting fraud and malicious bots while keeping the user experience intact.
Reid also offers advice for CISOs on how to strike a balance between security and business innovation.
What are the emerging threats that keep you up at night as a CISO?
As we get more skilled at rooting out malicious behavior and stopping it, threat actors are finding new, more effective ways of hiding or persisting their capabilities. At the same time, the systems we use are increasingly more complex and integrated making attack surfaces larger and configurations harder to lock down. This has led to a booming criminal underground and in-turn needs for individuals and organizations to protect themselves.
For example, earlier this year, we identified a cluster of VPN apps available on the Google Play Store that transformed user devices into proxy nodes without their knowledge. Attackers are also hiding behind residential proxies to conduct various types of attacks – including account takeover (ATO) attacks, transaction abuse, programmatic advertising fraud, and web scraping – which makes them hard to detect and disrupt.
The increasing scale of threat operations is also a concern for me as AI and automation augment the efficiency, effectiveness and reach of cyber fraud. For context, the recently disrupted Phish ‘n’ Ships global fraud operation stole tens of millions of dollars from hundreds of thousands of consumers by phishing their payment information and selling them fake goods. They were able to do this by infecting more than 1,000 websites to stage fake product links that redirected to 121 fake web stores in Dutch, English, French and German. All the stages of this campaign were carried out by bots.
What are organizations’ most significant challenges distinguishing human interactions from bot-driven or fraudulent activities?
Not all bots are bad – Some bots are good and enhance the user journey through chatbots, search engine web crawlers, or bots that test and monitor website performance. Unfortunately, the majority of bots are misused for business, and they can generate over 50% of the traffic to a company’s website.
The need to distinguish between the two makes it a complex matter for website owners to accurately detect and mitigate bad bots, without impeding the good ones that enhance the user experience.
Bot detection works by recognizing markers of bad bots, including requests originating from malicious domains and patterns of behavior exhibited. Establishing a baseline of normal human web activity and recognizing anomalous behavior from incoming traffic is at the core of effective bot detection.
Some key characteristics of malicious bots include quickly viewing massive volumes of pages, sessions that are much shorter or much longer than what is usual, jumping directly to interior HTML pages without following standard user access patterns, traffic that imperfectly models human behavior, traffic that persists over long periods, and unusual customer activity like surges in login failures, password resets, failed transactions, or new account creation.
What are the key industries or sectors most vulnerable to inauthentic digital activity?
Unsurprisingly, for businesses focused on managing users’ money, account takeover and carding attacks are common in the financial industry. In these instances, cybercriminals try to break into accounts and steal information from the payments page. As such, the financial industry has been an early adopter of cybersecurity protocols and tools to ensure a fully comprehensive and well-funded security program, while the travel and hospitality industries have not yet made that pivot in the same way.
It should also come as no surprise that retail is the most targeted industry, with tens of trillions of transactions happening quarterly and hundreds of billions of dollars in consumer spending. We can see spikes in bot activities on our platform that are tied to specific days and events, like major sales, and holidays like Christmas, Cyber Monday and Black Friday, where we see the purchasing activity rise dramatically.
In the streaming and media, we see that free trials are still common to entice users to join the services without upfront payment, which creates a favorable environment for fake account creation ultimately never paying the bill. Another rising threat for the media and streaming industries is content scraping as bot-gathered intelligence poses greater and greater risks in the age of AI.
What KPIs should CISOs use to evaluate the effectiveness of fraud detection and prevention solutions?
- Detection efficacy: How successful was the platform or tool detecting known events?
- User impact: How did the platform or tool reduce user friction for real users?
- Bot/miscreant impact: How successful was the platform or tool in blocking or introducing friction for bad bots?
- Context usefulness: How often was the platform or tool used to successfully understand an event?
What advice would you offer to large organizations looking to balance compliance with security innovation?
A good CISO makes balanced risk decisions. A bad CISO gets in the way of helping the company innovate. The combination of industry best practices and regulation forcing the adoption of robust security tooling and methodology pushes companies to create a strong baseline to build in effective protections.
However, CISOs must evaluate carefully what assets they choose to put maximum security measures behind. If you argue that everything needs that high level of security, you become the CISO who cried wolf— and no one will believe you.
Instead, CISOs must identify the business drivers and — the applications and data sources that are crucial to the business—and prioritize protecting those assets. While this may produce more risk by leaving other assets less protected, this philosophy ensures CISOs can balance effectiveness with safety.