Cybersecurity is important for any organization, and the landscape is constantly evolving. Maintaining vigilance is often a game of cat and mouse or whack-a-mole. As both Sun Tzu and Rage Against the Machine said in slightly different ways, you must know your enemy. In a fast-paced world, this is not an easy task. Luckily, as with most industries, the cybersecurity industry holds annual conferences to help us all synthesize the latest and greatest trends.
I noticed a few common themes on this year’s conference circuit. Here are the top four trends that I believe you should be ready for in the year ahead.
1. Security Meets Data Science
A big theme this year was artificial intelligence, specifically deep neural networks. Energized by news reports on the controversial use of “deep fakes,” people started realizing that big data processing could be used to enhance both attack and defense. At one conference, Joshua Saxe of Sophos presented an example of a security neural network in action by training a model with previously unseen URLs to score them on a continuum of benign to malicious. His system showed a massive lift in detection rates of malicious URLs versus the current signature-based, blacklist-focused methods. This presentation demonstratively showed that deep neural networks can augment existing practices with better rates of detection. This is welcome news in the ongoing efforts to thwart phishing attacks.
From the attack side, there were multiple presentations at both conferences describing the ability to train computers to simulate not only video but also voice with a surprising degree of accuracy. While these types of attacks are in their infancy, we might soon see video and audio that is completely fabricated and nearly indistinguishable from the actual source.
We’re living in a time when a healthy dose of skepticism is a requirement. In the near future, be prepared to question the validity of audio and video that seem out of place in terms of tone or motive. Make sure to get information from trusted sources, and remember that trusted sources will be fooled sometimes as well.
2. Internet-Enabled Devices Are Everywhere
Internet of things (IoT) devices are becoming more and more widespread, and that trend isn’t slowing any time soon. IoT devices are difficult to update, and many have lax security measures in place. To be clear: IoT devices within an organization can put companies, infrastructure and individuals at risk. The problem is compounded when compromised devices become gateways into industrial control or supervisory control and data acquisition (SCADA) systems. Those systems are often less protected and more difficult to update.
Adam Shostack gave a talk on threat modeling at a conference and discussed approaches to these new threats. Agile methodologies have been adapted for software development, and threat modeling cannot continue to be ruled by an outmoded waterfall approach when things are moving so quickly. We must be iterative in our approaches and respond quickly as the threats pile up due to development speed and the pure volume of wireless sensors. By doing so, we’ll be better prepared to handle the sheer volume of internet-enabled devices that come online every day.
3. The Need For Proper 2FA Will Grow
Authentication is a perennial topic in the security arena. In recent years, most companies have begun to use proper authentication practices, but two-factor authentication (2FA) remains difficult for many people to comprehend. There are three common types, or “factors,” of authentication:
1. What you know (e.g., a password)
2. What you have (e.g., an authentication app)
3. What you are (e.g., a fingerprint)
Given that, 2FA is exactly what you might think it is — any combination of two different types of authentication. The most common application of 2FA is a password and a code generated by a physical device.
Unfortunately, it doesn’t seem to be common knowledge that companies and users should not depend on text messages, emails and phone calls for the second factor of 2FA. It’s not that difficult for an attacker to execute what is known as a SIM swap to gain access to a user’s phone. Rather than depending on texting, emails or calls, the codes should be generated by either a dedicated device or an application such as Google’s Authenticator app. Spend some time in the coming year protecting your accounts by auditing and changing your passwords and utilizing 2FA whenever possible.
4. Everything Old Is ‘New’ Again
Computers are more powerful than they were a decade ago, but the threat vectors are generally the same. While computers have become more powerful, they still complete the same task: They process data. Protecting that data is an enduring problem. The STRIDE Threat Model that Microsoft built to describe threats is still as relevant as it was in 2009. The conference talks I heard all fell into similar threat categories as they did last year and the year before that.
How do you prepare for these enduring threats? Maintain a basic level of security. Protect your passwords. Ensure that your company performs regular training and risk assessments. Have a business continuity plan. Test all your safeguards.
There will always be new ways for hackers to break into computer systems, and there will always be new hackers. Fortunately, there are people who are just as enthusiastic about defense as the hackers are about offense. You don’t necessarily need to know the details of a hacking attack to understand the risk it poses to your organization. Stay on top of the trends and the overall threat landscape, and be sure to make security a priority.