The RSA Conference is the world’s biggest and most respected gathering of CISOs, technologists and cybersecurity specialists. As a new decade draws upon us — and as the next conference convenes in February in San Francisco — a new set of challenges is here.
Sifting through 500 or so submissions from cybersecurity experts eager to take the stage at the conference (I’m on the committee that chooses presentations) offers a glimpse into emerging problems like deep fakes, stalkerware and surveillance attacks, while longstanding themes, including DevOps and ransomware, are gaining renewed importance.
If you’re a business executive, watch out for these trends (or worries). They might affect your organization. Here are some of the biggest challenges we’re seeing based on the submissions.
1. Fakes and deep fakes are the new buzzwords.
Deep fakes — faked videos and audio recordings that resemble the real thing – is a subject of interest for many experts. Anyone can download software to create deep fakes, offering many possibilities for malicious activity. A politician could be faked making a vote-losing comment before an election. A faked recording of a senior executive could order the accounts department to make a financial transaction into a criminal’s bank account. New forms of “stalkerware,” a type of spyware, tracks smartphone data from victims to build up a picture of their activities; this can be used to create faked videos, voice recordings or written communications. The security industry is still working out its response to this new threat.
2. Smartphones are being used in surveillance attacks.
With the growing use of banking apps and touchless payments, smartphones are becoming hubs for financial transactions. This has driven an increase in mobile surveillance attacks, which install tracking software onto phones to monitor people’s behavior from their smartphone usage. That enables corporate email fraud, known as business email compromise. The more an attacker knows about a victim’s activities, the easier it is to send them a trick email which gets them to download a file containing malicious code. Users need greater awareness of the dangers of mobile surveillance and the steps to counter it.
3. Ransomware is getting more sophisticated as companies pay out.
We saw lots of submissions about the evolution of ransomware and the cat-and-mouse game between attackers who are looking for clever ways to get around detection capabilities and defenders seeking new ways to block them. Instead of randomly encrypting any data they can, criminals are targeting high-value business data to encrypt and hold to ransom. In my view, ransomware is midway through its life cycle. We’ll be talking about it for many years to come but will eventually have it licked as we sharpen our defenses.
4. Supply chain attacks are on the rise.
These are where cyberattackers inject code into a website — often ecommerce or finance — allowing them to steal data such as customers’ personal details and credit card data. Adversaries have doubled down on this type of attack and have scored some recent successes. In 2019, a well-known British company was fined a record $241 million for a supply chain attack. It was believed to have been mounted by the Magecart threat group. Other large companies have suffered similar attacks. More attacks are likely. Defenders must improve protections against rogue code and be ever watchful so they can identify and eliminate it.
5. DevOps speeds up software development but increases security risks.
DevOps is a transformational method of creating code that links development and operations together to speed up software innovation. DevOps contrasts with traditional forms of software development, which are monolithic, slow, endlessly tested and easy to verify. Instead, DevOps is rapid and requires lots of small, iterative changes. But this increases complexity and opens up a new set of security problems. With DevOps, existing security vulnerabilities can be magnified and manifest themselves in new ways. The speed of software creation can mean new vulnerabilities are created unseen by developers. The solution is to build security monitoring into the DevOps process from the start. This requires cooperation and trust between the CISO and the DevOps team.
6. Emulation and decoy environments must be credible.
Large businesses are looking to create “emulation environments” to track down unknown threats. These mimic credible servers and websites but are really there to lure in bad actors in order to observe their behavior and collect data about their methods. Decoys operate in a similar way. The challenge is to create emulation environments that are good enough to fool the adversary into thinking that it is a real-world server or website.
7. Cloud incident response requires new tools and skills for in-house security teams.
Organizations are used to dealing with cybersecurity incidents on their own networks. But when their data is stored in the cloud, security teams can struggle. They don’t have full access to security data, as this is controlled by the cloud provider. So they may struggle to distinguish between everyday computing events and security incidents. Existing incident response teams need new skills and tools to carry out forensics on cloud data. Business leaders should challenge their teams on whether they are prepared and capable to manage and respond to security attacks in the cloud.
8. Artificial intelligence and machine learning.
We have received countless papers on AI and ML. These technologies are at an early stage in cybersecurity. Attackers are studying how networks are using ML for security defenses so they can work out how to breach them. They are looking at the way AI experts try to fool image recognition systems into identifying a chicken or a banana as a human. This requires understanding how the system’s ML engine works and then figuring out ways to effectively deceive it and break the mathematical modeling. Attackers are using similar techniques to deceive ML models used in cybersecurity. AI and ML are also being used to boost deep fakes. They are gathering and processing huge amounts of data to understand their victims and whether a deep fake attack or fraud will succeed.
9. Hardware and firmware attacks are back.
There are mounting concerns over hardware vulnerabilities such as Spectre and Meltdown. These are part of a family of vulnerabilities, revealed in 2018, that affect nearly every computer chip made over the past 20 years. No serious attacks have taken place yet. But security experts are forecasting what could happen if a hacker were able to exploit such weaknesses in hardware and firmware.
10. Power users need protection.
Creating secure connections for senior executives and other top staff who have access to the most sensitive corporate data on their own devices is vital. What measures must be taken to keep them safe?
11. The security industry is finally taking action on DNS spoofing.
IP addresses are the strings of numbers that identify computers on an internet network. The Domain Name System assigns a name to every IP address so it can be found on the web. DNS is known as the phone book of the internet. But bad actors can spoof these names, misdirecting users to compromised websites where they risk having data stolen. The industry has finally started to gather more DNS information to identify these problems and prevent DNS spoofing.
How we respond to these threats in the next decade will make for good conversations at the RSA Conference 2020. Hope to see you there.