In 2019, 50% of all global organizations fell victim to ransomware, compromised accounts, or spoofed credentials, many due to falling for a phishing attack. In the same year, Australians reported $61.6 million lost due to investment scams. As alarming as these statistics are, we expect cybersecurity threats for 2020 to increase. Indeed, with the start of this new year, cybersecurity experts have been coming together to predict the targeted attack vectors and how to protect against them. Some of the most highly discussed topics include an increase in deepfakes, ransomware, and the standardization of MFA (multi-factor authentication).
Deepfakes a Cybersecurity Threat for 2020
As technology advances, we’re hearing the term ‘deepfake’ more frequently. This word encompasses everything from 1920’s filmmakers animating earthquakes, to the modern day politicians “saying” controversial things. At the core, today’s deepfakes use AI-based technology to create fake videos and audio that look and sound real.
Deepfakes are not all bad. In fact, there is a whole online community that use deepfakes as an art form. Even snapchat has a filter that lets us combine a celebrity’s face with our own. This can make deepfakes appear fun and harmless, and they can be! However, not all of them are. For example, many of us remember the altered video of Nancy Pelosi. This video was slowed down to make her appear to be intoxicated. Unfortunately, the altered video was widely circulated, and damage was done to Pelosi’s reputation before the truth became known.
Cybercriminals Leveraging New Threats
The ease and accessibility of deepfakes has opened a new realm of potential social engineering attacks that corporate cybersecurity systems may not be ready for. Cybercriminals can utilize deepfakes easily and without having to go through the grind of targeting your systems. By utilizing things like social media and email, an individual doesn’t necessarily have to have any special “hacking skills” to deploy these cyber-attacks. What we need to be aware of though, is that a skilled social engineer can leverage deepfakes during an attack in ways that make them much more real. These attackers play not only what you see and hear, but also on how you feel.
The opinions on how much deepfakes will affect the cyber community vary. Marco Rubio compared the threat to that of a nuclear weapon, while Tim Hwang doubts deepfakes will affect the community as much as some suspect. While we wait to see how much of an affect Deepfakes will have, Chris Hadnagy (aka @HumanHacker) of Social-Engineer, LLC. warns, “As the technology gets easier to use and expands from pictures to voice and other mediums, I think we will see an increase in these attacks.”
How to Spot a Deepfake
Whatever the threat level ends up being, without a doubt, deepfakes are something we need to be aware of and guard against. Because of the threat deepfakes present, in September of 2019 a bill passed the house committee to attempt to combat deepfakes. Since they are becoming more advanced and the technology to produce them more readily available, they will become harder to identify. Here are some tips that can help you spot them:
- Blinking is one of the more difficult things to replicate with deepfakes. Look out for rapid blinking or lack of it.
- Facial movements may not be completely smooth. Keep an eye out for jerky or robotic facial movements.
- There may be strange shifts in lighting and skin tone. If it looks like bad graphics, it could be a fake.
- A weird mixture of two faces, almost like a snapchat filter slipping off.
Ransomware—Another Cybersecurity Threat for 2020
In 2018, there were 53 reported ransomware attacks on local government entities. In just the first few months of 2019, there were already 21 reported ransomware attacks on local county, city, and state government systems. Hadnagy says “We can watch a timeline of these (ransomware) attacks starting off using fear to motivate. Then, they became more targeted using multi-vector attacks, combining phishing and vishing. Now most recently, we see the use of social media making these attacks much more believable by specifically targeting people using their personal information and social contacts.”
2020 is sure to hold to this upward trend. We can clearly see that ransomware is becoming more common and more sophisticated as time goes on. How can you protect yourself and your organization from this ever-growing threat?
Protect Yourself from Ransomware
The FBI provides information to help everyone, from government entities to home networks, protect themselves from ransomware attacks:
- Education: Everyone from top-down should receive effective training on how to recognize malicious emails and understand the critical role they play as individuals in protecting their organization’s information. Educational training is one of the main keys in combating the risk of ransomware affecting your networks.
- Policies: Limiting privileges and implementing software restrictions can help enterprises limit the possibilities of ransomware incidents. Computer–use policies are also needed. Policies such as not giving users administrative privileges and configuring access controls, including file, directory, and network share permissions. By creating limits, the damage a potential ransomware attack may have will be smaller.
- Protection: Implementing runtime malware defenses can help stop ransomware that may possibly get past your already-in-place antivirus protection. Use scanning tools to identify vulnerable systems, patch these vulnerabilities as soon as possible, and upgrade any Operating Systems (OS) that are depreciating to offer your systems the best possible protection.
- Backup Plan: Have a proper backup and recovery strategy in place and test it regularly. The 3-2-1 approach works with many organizations. Have 3 copies, in 2 different formats, and 1 copy stored offsite. Secure your backups—don’t have them connected to the computers and networks they are backing up. Test your backups and ensure integrity. Implement regular penetration tests and vulnerability assessments.
The statistics above are from our October 2019 blog. For a more in-depth discussion on ransomware you can read the full article here.
New Cybersecurity Threats to Watch For in 2020
By reviewing the trends that we saw in 2019, we could cut right to the chase and say that cyber-attacks will explode in 2020. But, what will be the new thing? Hadnagy had some thoughts, “It is easy to say, for instance, that The Cloud is the next vector, yet we see things like MageCart exploits and other browser-based exploits still existing. Can Cloud be exploited? Yes, for sure. Will it be? Yes, I am sure. But that is not the only vector to worry about, not when we see such a large amount of password reuse, no 2-factor authentication (2FA) and weak passwords still being used.”
Multi-Factor Authentication — Key to Protection
With this ever-changing threat landscape, it is often hard to keep up with the ways to protect ourselves. In view of this, Hadnagy highlights steps that we need to immediately take to protect ourselves. One that he recommends is all businesses, including those that are small to medium size businesses (SMBs), should be using a multi factor authentication. Hadnagy suggests “…not just multi factor, but also password managers. Combined, it saves your accounts from being the low hanging fruit.”
Multifactor authentication and password managers are the keys to keeping your personal or company information secure. Employing these tools together will make your information more difficult to access, thus dissuading some attackers. To that end, there are many tools today that make these steps easy to implement. A quick google search will provide you with the top apps and managers available for your use. By all means, take advantage of these available tools and add this necessary layer to your security.
Strengthen Protection Through Awareness
With this explosion of threats, cybersecurity is more important than ever. Significantly, one common thread is that these predicted threats attack the human wall of security. With this in mind, as an individual, stay informed on these attack vectors and protect yourself against them. And, as an employer, train your employees to be aware of these threats and know how to respond to them. We believe that one of the most effective ways to do this is through phishing and vishing training.
Is this training effective? Earlier this year a SECOM employee spoke to a person that did not think it was. He said his company does “a lot of social engineering training that is a huge waste of time”. But, was that really the case? He wasn’t aware that he had previously been tested by a SECOM employee (as requested by his company) and had given up information that his company flagged as sensitive.
After this initial test, he received more training and SECOM was tasked with testing him again. It was during this second conversation that the above quote was taken from. How did he do? First, he passed the second test with flying colors. Second, he refused to give the SECOM employee any information and shut the caller down efficiently and quickly, all according to the company standards. Third, he did so despite thinking that his training was ineffective.
Stay Safe in 2020
As we’ve seen, 2020 has many cybersecurity threats to watch out for. But if you implement effective security training you can stay one step ahead of the criminals. And as the experience from our SECOM employee clearly shows, being aware of potential attack vectors and understanding how to guard against them is of great value.