We can’t say it enough… It’s not a matter of IF your business will be attacked; it’s a matter of WHEN. This statement isn’t designed to scare you, it’s meant to serve as a wake-up call so you can begin to incorporate protective solutions to your cyber security stack, immediately.
When Adaptive switched from an MSP model – which was basically a break-and-fix IT model – to a more complete cyber solution, we did so because the cyber-threat landscape was growing exponentially. Little did we know that the sudden shift to an international remote workforce would have a devastating effect on the already bleak outlook for SMBs.
Now, when we look back at the cyber threats that existed pre-Covid, they seem like child’s play compared to where we are now. To make matters worse… the future looks even more terrifying.
More Treachery and Risk Ahead as Attack Surface and
Hacker Capabilities Grow
According to excerpts from an article by Forbes, they wrote, “While cybersecurity capabilities and awareness seem to be improving, unfortunately, the threat and sophistication of cyber-attacks are matching that progress.
The 2023 Digital Ecosystem
The emerging digital ecosystem is treacherous. In our current digital environment, every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach.
For 2023 and beyond the focus needs to be on the cyber-attack surface and vectors to determine what can be done to mitigate threats and enhance resiliency and recovery. As the interest greatly expands in users, so do the threats, As the Metaverse comes more online it will serve as a new vector for exploitation. Artificial intelligence and machine learning, while great for research & analytics (i.e. ChatGPT). However, AI tools can also be used by hackers for advanced attacks. Deep fakes are already being deployed and bots are continuing to run rampant. and the geopolitics of the Russian invasion of Ukraine has highlighted the vulnerabilities of critical infrastructure (CISA Shields Up) by nation-state threats, including more DDSs attacks on websites and infrastructure. Most ominous was the hacking of a Ukrainian satellite.
Here are some initial digital ecosystem statistics to consider: According to a Deloitte Center for Controllership poll. “During the past 12 months, 34.5% of polled executives report that their organizations’ accounting and financial data were targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.” And “nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead. And yet just 20.3% of those polled say their organizations’ accounting and finance teams work closely and consistently with their peers in cybersecurity.”
AI and ML Will Impact the Cyber-Ecosystem in a Big Way in 2023 and Beyond
International Data Corporation (IDC) says AI in the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027.
AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically, it can (and is being) used to help protect against increasingly sophisticated and malicious malware, ransomware, and social engineering attacks. AI’s capabilities in contextual reasoning can be used for synthesizing data and predicting threats.
They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms.
While AI and ML can be important tools for cyber-defense, they can also be a two-edged sword. While it can be used to rapidly identify threat anomalies and enhance cyber defense capabilities, it can also be used by threat actors. Adversarial Nations and criminal hackers are already using AI and MI as tools to find and exploit vulnerabilities in threat detection models.
Cybercriminals are already using AI and machine learning tools to attack and explore victims’ networks. Small businesses, organizations, and especially healthcare institutions that cannot afford significant investments in defensive emerging cybersecurity tech such as AI are the most vulnerable. Extortion by hackers using ransomware and demanding payment by cryptocurrencies may become and more persistent and evolving threat. The growth of the Internet of Things will create many new targets for the bad guys to exploit. There is an urgency for both industry and government to understand the implications of the emerging morphing cyber threat tools that include AI and ML and fortify against attacks.
Cyber-Crime and the Cyber Statistics to Explore so Far in 2023
Cybercrime is growing exponentially. According to Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. There are many factors for such growth, and some of them will be explored in more detail below.
Open Source Vulnerabilities
It starts with open-source code. Unfortunately, according to Synopsys researchers, at least one open-source vulnerability was found in 84% of code bases. One way that hackers take advantage of code vulnerabilities and open-source flaws is via zero-day exploits.
Recently a ransomware gang used a new zero-day flaw to steal data on 1 million hospital patients. “Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients. The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT.” Clop claims it mass-hacked 130 organizations, including a US hospital network.”
***Adaptive Advice: When you see that updates are available for anything from apps to search engines, update them immediately. These updates are also known as patches. Basically, patches are like bandaids to help heal flaws that developers found in their code. Knowing this, hackers target systems that are outdated. If you don’t address updates as soon as they are available, your system will become a target.
Phishing is a Favorite
The Forbes article went on to say, “Phishing is still the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization, or a website you may frequent.
Advances in technology have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware. A tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of a lack of training.
According to the firm Lookout, the highest rate of mobile phishing in history was observed in 2022, with half of the mobile phone owners worldwide exposed to a phishing attack every quarter. The Lookout report was based on Lookout’s data analytics from over 210 million devices, 175 million apps, and four million URLs daily.
The report noted that “non-email-based phishing attacks are also proliferating, with vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing) increasing sevenfold in the second quarter of 2022. And that “the damage can be colossal for businesses that fall victim to mobile phishing attacks: Lookout calculated that the potential annual financial impact of mobile phishing to an organization of 5000 employees is nearly $4m.
The report also noted that “Cybercriminals mostly abused Microsoft’s brand name in phishing attacks, with more than 30 million messages using its branding or mentioning products like Office or OneDrive. However, other companies were also frequently impersonated by cybercriminals, including Amazon (mentioned in 6.5 million attacks); DocuSign (3.5 million); Google (2.6 million); DHL (2 million); and Adobe (1.5 million).”
I Swear it’s Ransomware
The current state of cyber-affairs is an especially alarming one because ransomware attacks are growing not only in numbers but also in the financial and reputational costs to businesses and organizations.
Currently, ransomware, mostly via phishing activities, is the top threat to both the public and private sectors. Ransomware allows hackers to hold computers and even entire networks hostage for electronic cash payments.
“In 2022, 76% of organizations were targeted by a ransomware attack, out of which 64% were actually infected. Only 50% of these organizations managed to retrieve their data after paying the ransom. Additionally, a little over 66% of respondents reported having had multiple, isolated infections.”
Since most of us are now doing our work and personal errands on smartphones, this is alarming data. But there are remedies. Training employees to identify potential phishing emails is the first step in prevention, but many of the obvious clues, such as misspelled words and poor grammar, are no longer present. Fraudsters have grown more sophisticated, and employees need to keep up with the new paradigm.
Human errors are inevitable, however, and some employees will make mistakes and accidentally fall victim to phishing. The backup system at that point should include automated systems that can silo employee access and reduce damage if a worker’s account is compromised. The best way is to establish and monitor administrative privileges for your company. You can limit employee access or require two [authentication] steps before they go there. A lot of companies will also outlaw certain sites that workers can’t go visit, so it makes it more difficult to get phished.
My additional advice to protect against phishing and ransomware is to make sure you backup your valuable data (consider encrypting it too), preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual, it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis.
Business E-mail Compromise
A research company Trellix determined 78% of business email compromises (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.
Business Email Compromise (BEC) attacks are no longer limited to traditional email accounts. Attackers are finding new ways to conduct their schemes — and organizations need to be prepared to defend themselves.
Attackers are leveraging a new scheme called Business Communication Compromise to leverage collaboration tools beyond email that include chat and mobile messaging — including popular cloud-based applications such as Slack, WhatsApp, LinkedIn, Facebook, Twitter, and many more — to carry out attacks.
Business emails have been a top target of hackers. Accordingly, organizations need to create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected, including sensitive emails. A risk management strategy should be holistic and include people, processes, and technologies.
This includes protecting and backing up email data, and the business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel, and detection, Identity Access Management, firewalls, etc.) and policies. That risk management approach must also include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack.
Fraud is Trending Digital, Especially Identity Theft
Fraud has always been a societal problem, but it is being compounded by the expansion of criminals in the digital realm. The cost is going higher as more people do their banking and buying online.
Federal Trade Commission (FTC) data shows that consumers reported losing nearly $8.8 billion to fraud in 2022, an increase of more than 30 percent over the previous year. Much of this fraud came from fake investing scams and imposter scams. Perhaps most alarming in this report was that there were over 1.1 million reports of identity theft received through the FTC’s IdentityTheft.gov website.
The reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. The surface threat landscape has expanded exponentially with smartphones, wearables, and the Internet of Things. Moreover, those mobile devices, social media applications, laptops & notebooks are not easy to secure.
There are no complete remedies to identity theft, but there are actions that can enable people and companies to help deter the threats. Below is a quick list of what you can do to help protect your accounts, privacy, and reputation:
1) Use strong passwords. Hackers are quite adept at guessing passwords especially when they have insights into where you lived in the past (street names), birthdays, and favorite phrases. Changing your password regularly can also complicate their tasks.
2) Maintain a separate computer to do your financial transactions and use it for nothing else.
3) Consider using encryption software for valuable data that needs to be secured. Also, set up Virtual Private Networks for an added layer of security when using mobile smartphones.
4) Very important: Monitor your credit scores, your bank statements, and your social accounts on a regular basis. Life Lock and other reputable monitoring organizations provide account alerts that are very helpful in that awareness quest. The quicker you detect fraud, the easier it is to handle the issues associated with identity theft.
5) If you get breached, if it is especially serious, contact enforcement authorities as it might be part of a larger criminal enterprise that they should know about. In any severe breach, consider looking for legal assistance on liability issues with creditors. Also, consider hiring outside reputation management if necessary.
Other Cybersecurity Trends for 2023
- Lagging corporate governance: Although there has been significant improvement in the priority organizations place on cybersecurity in recent years, many firms still have not placed cybersecurity specialists in leadership positions, excluding CISOs and CSOs from the C-suite and boards of directors, and keep cybersecurity separate from organizational objectives.
- Lack of investment, preparedness, and resilience: Both public and private sectors are still insufficiently prepared for a cybersecurity disaster due to incomplete and imperfect data, lack of crisis preparedness, disaster recovery, and business continuity planning, failure to conduct crisis exercises and planning, vendor risk concentration and insufficient third-party assurance capabilities, the escalating cost of cyber insurance, and chronic poor cyber hygiene and security awareness among the general public.
- Vulnerable infrastructure: Critical infrastructure remains vulnerable as organizations “rely heavily on state and local agencies and third- and fourth-party vendors who may lack necessary cybersecurity controls,” particularly in the finance, utilities, and government services sectors, which often run on unpatched and outdated code and legacy systems.
- Talent scarcity: The ongoing shortage of qualified security personnel continues to expose organizations to cyber risks, made even more glaring by insufficient automation of tasks needed to execute good cybersecurity.
There are many other trends and statistics to explore as the year unfolds. It is certainly a treacherous cyber ecosystem, and it is expanding with risk and threats. Being cyber-aware is part of the process of risk management and security and hopefully looking at the cyber-threat landscape will implore both industry and government to prioritize cybersecurity from the top down and bottom up!”
Cybercrime in Canada Spikes
IBM offers some additional protection tips in this article about Canadian Cyber trends, “Cybercriminals are targeting industries with little to no tolerance for downtime, such as utilities, manufacturing, and banking, to force victims to pay. This was the top impact observed globally in 2022 – more than one-quarter of all attacks involved extortion. The latest extortion scheme turns customers and business partners into pawns.
In Canada, credential harvesting took the pole position with 67% of incidents that X-Force remediated (compared to 11% globally). A third of them (33%) resulted in botnet (malware) infections of networks. Overall, X-Force saw threat actors use spearphishing links and exploitation of public-facing applications in equal proportion to gain initial access. Botnets, ransomware, and deployment of recon/scanning tools were the three top actions on objectives observed in incidents in Canada.
IBM Security recommendations
- Stop blaming the user. Attackers rely on the fact people are innately curious and inclined to click on links. The report shows that it’s a strategy that works – with 41% of incidents starting from a phishing email. The default industry setting is to blame the user – that needs to change. The focus should be on rolling out the right technology to protect users from falling victim.
- Accelerate your response. It’s no longer a question of whether an adversary will get in – it’s a question of when. Successfully responding to a breach is all about speed and limiting the window of access and damage to your environment. How your team responds in the critical moment can make all the difference in the amount of time and money lost in a response.
- Employ endpoint or extended detection & response technologies. The rise in backdoor cases points to some success in catching infections earlier. Endpoint and extended detection and response technologies provide the means to identify and mitigate threats before adversaries take more dangerous actions.
- Shift your mindset. You have to think like an attacker and understand how they operate. Adversary simulations and threat hunting can help businesses outsmart cybercriminals.
- Know your attack surface. One-third of attackable assets on an organization’s networks are unmanaged or unknown, offering easy targets for attackers and risking unintended data exposure. You need to think like an attacker, discover where you’re exposed, and the ways an attacker could get in with the least detection.
- Challenge assumptions. Today, you have to assume compromise. Perform regular offensive testing including threat hunting, penetration testing, and objective-based red teaming to detect or validate opportunistic attack paths into your environment.
- Build an adaptable, threat-driven security strategy. There is no single, out-of-the-box solution to protecting businesses today. Attackers are constantly innovating and evolving techniques to evade detection – cyber strategies should be just as flexible. Buy the tools, build the plan, but then test it, learn from what you find, and regularly adapt to consider the rapidly evolving threat landscape.
Staying Ahead of the Curve
With data breaches costing Canadian companies CA$7.05 million per incident on average (an all-time high), the financial stakes are greater than ever, not to mention the erosion of trust that comes with the theft of private data. Governments and businesses must stay ahead of the curve if they are going to thwart cybercriminals who are more incentivized than ever to exploit vulnerabilities.”
The Future of Cybersecurity – The tech of tomorrow will pose even bigger cybersecurity threats
In excerpts from a predictive article by ZDNet, they wrote, “While the internet has undoubtedly brought new benefits, it’s also brought new problems as cybercriminals look to exploit our seemingly ever-growing reliance on connectivity.
Phishing emails, malware, and ransomware attacks, or getting your bank details, passwords, and other personal information stolen – the internet has provided malicious hackers with a variety of new ways to make money and cause disruption. Just look, for example, at how critical infrastructure, schools, and hospitals have been affected by cyberattacks.
We’re yet to fully secure networks against today’s internet threats, yet technology is moving on already, bringing new threats that we must somehow prepare for.
Quantum: crypto cracking and mining
One of the most significant technological breakthroughs heading our way is quantum computing, which promises to be able to quickly solve complex problems that have defeated classical computers.
While this advance will bring benefits to scientific research and society, it will also create new challenges. Most notably, the power of quantum computing could make quick work of cracking the encryption algorithms we’ve used for decades to secure a range of areas, including online banking, secure communications, and digital signatures.
Currently, quantum computing is expensive, and the expertise required to develop it is restricted to large technology companies, research institutions, and governments. But like any innovative technology, it will eventually become more commercially available and easier to access – and cybercriminals will be looking to take advantage of quantum.
“There are some things over the horizon that you can see coming; notably quantum computing being able to crack current encryption algorithms,” says Martin Lee, technical lead of security research at Cisco Talos.
“What was an entirely appropriate encryption key length 20 years ago is no longer appropriate”.
But, while disruptive cyberattacks powered by quantum computing are a key cybersecurity threat of the future, quantum computers could themselves be a lucrative target of hackers.
Let’s think of a specific example of crypto-mining malware. This is a form of malware that attackers install on computers and servers to secretly use the power of someone else’s network to mine for cryptocurrency and pocket the profits – all without needing to pay for the resources or the power being consumed.
Cryptocurrencies, such as Bitcoin, are generated by computers by solving complex mathematical problems – the sort of mathematical problems that could be relatively trivial for a network of quantum computers to solve. That means that if cyber criminals were able to plant crypto-mining malware on quantum computers, they could get very rich very quickly – at almost no cost to themselves.
Exploiting AI and ML
But quantum computing isn’t the only emerging technology that cybercriminals will look to take advantage of: we can expect them to exploit developments in artificial intelligence (AI) and machine learning (ML), too.
Like quantum computing, AI and ML look set to power innovations in a range of areas, including robotics and driverless cars, speech and language recognition, healthcare, and more.
AI that can adapt and learn can be used for good, but ultimately, once it becomes more widely available, it’s only a matter of time before cybercriminals are using it to help make cyberattacks more effective.
“We will start seeing malware campaigns, ransomware operations, and phishing campaigns being run totally automated by machine-learning frameworks. It hasn’t been done yet, but it wouldn’t be very hard at all to do,” says Mikko Hyppönen, chief research officer at WithSecure.
One means of exploiting this technology would be programming a text-based generation algorithm to send out, and reply to, common spam emails or business email compromise (BEC) campaigns.
Rather than needing a human to take time out to write and reply to messages, criminals could rely on an algorithm that can also analyze which responses are most likely to be real victims that are worth replying to, rather than people who remain unconvinced, or those who send prank replies back to the spammer. That reality means in the future you could end up being scammed – by a bot.
There’s also the potential that cyber criminals could use advancements in ML to develop self-programming smart malware which, rather than needing a developer to support it, could update itself by automatically reacting to the cyber defenses it meets to have the greatest chance of being effective.
“You could imagine when self-programming programs become more capable than right now where they can finish functions created by humans – that sounds great until you give it ransomware,” says Hyppönen.
“It could change the code, make it more complex to understand, and make it so it’s different every time, and it could try to create undetectable versions. All of that is technically doable, we simply haven’t seen it yet – and I think we will,” he warns.
But AI being abused to power cyber threats isn’t just a future problem for the internet – it’s already happening now, with deep learning being used to power deepfakes, which are videos that look like they’re real people or events but are actually fake.
They’ve been used in political misinformation campaigns, pranks to fool politicians, and they’re already being used to enhance BEC and other fraud attacks, with cyber criminals using deepfake audio to convince employees to authorize significant financial transfers to accounts owned by the attackers.
“We’re entering this brave new world around deepfake video that will be used to commit crimes. Not just manipulation, but also in disinformation and misinformation,” says Theresa Payton, CEO of Fortalice Solutions and former CIO at the White House.
Take the example of CEOs who are in the public-facing realm. They appear on television, they give speeches, are there are videos of them online, so it’s relatively simple to find recordings of what they sound like – and it’s already possible for scammers to run those resources through deepfake technology to mimic their voice.
After all, if an employee gets a call from the head of the company telling them to do something, they’re likely to do it – and the cybercriminals behind these attacks know this fact.
“I already know of three cases where deepfake audio was used to successfully convince somebody to transfer money to a place they shouldn’t have transferred it. That is stunning to me, that as a sample size of one, I already know of three cases,” says Payton.
And as the technology behind deepfakes continues to improve, it means it will only get harder to tell what’s real from what’s fake.
“I grow increasingly concerned about our lack of ability to really shut down manipulation campaigns,” says Payton.
Internet of Compromised Things
Deepfakes aren’t the only area where cyber threats could impact our everyday lives if the future of the internet isn’t secured properly. Increasingly, smart Internet of Things (IoT) devices are becoming a bigger part of our daily existence, with a variety of sensors, appliances, wearable devices, and other connected products appearing in homes, offices, factories, and more.
While there are certain advantages to connecting IoT devices to our home and workplace networks, this increased level of networking is also creating a larger attack surface for cybercriminals to exploit.
“When you add functionality and connectivity into everyday devices, they become hackable. Devices that were unhackable become hackable. It might be very hard. Nevertheless, it is always doable. There is no secure computer. There is no unhackable device,” explains Hyppönen.
“This is the thing that’s happening now during our time, and there’s no stopping it. It doesn’t matter what we think about it, it’s going to happen anyway, and it’s going to be increasingly invisible.”
Think about your home appliances: it’s increasingly likely they’re ‘smart’ and connected to the internet. Anything from your television to your toothbrush could now be internet-connected.
But for appliance manufacturers, building internet-connected devices is a relatively new phenomenon, and many won’t have needed to think about cybersecurity threats before. Some vendors might not even think about it in the design process at all, leaving the products vulnerable to hackers.
While hackers coming after your coffee machine or your fish tank might not sound like a concern, it’s a point on the network that can be accessed and used as a gateway to attack more important devices and sensitive data.
While IoT security should (hopefully) improve as it becomes more widespread, there’s also another problem to consider. There are already millions and millions of IoT devices out there that lack security – and these might not even be supported with security updates.
Think about how many smartphones can’t receive security updates after just a few years. Then scale that reality up to the fast-growing IoT – what’s going to happen if devices that aren’t regularly replaced, such as a refrigerator or car, can continue to be used for decades?
“There’s no software vendor on the planet that would support software written 20 years ago. It’s just not happening,” says Hyppönen, who suggests that when manufacturers no longer support updates for their devices, they should open-source it to allow others to do so.
“You would get the security patches for your old, outdated legacy things by paying for the service just like you pay for any other service.”
Connected devices are already becoming ubiquitous throughout society, with no sign of this trend slowing down – whole smart cities will become the norm. But if cybersecurity and compliance aren’t key forces driving this trend, it could lead to negative consequences for everyone.
“If you don’t resolve these issues, you’re going to have attacks happen at a scale and speed you’ve never seen before – bad things will be faster. That is incredibly concerning,” says Payton, who believes it’s only a matter of time before a ransomware attack holds a smart city hostage.
“They will be a target – and we will experience some level of sustained disruption,” she adds.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at firstname.lastname@example.org