When it comes to cybersecurity risks, a robust IT defense is essential. But technology tools and applications can only go so far because attackers today often focus on human targets. “Your people are your security perimeter because that’s what will be attacked,” said Andrew Rose, CISO, Proofpoint. “So, focus on people-centric controls, while also trying to simplify your control stack and environment.”
An expert on cybersecurity issues, Rose was a panelist at a recent BrightTalk webinar on “Top Security Predictions for 2023” with Diana Kelley, CISO, Cybrize; Richard Meeus, director of security technology, Akamai; and Vamshi Sripenrumbudur, global VP of marketing, Checkmarx. “Predictions are important because they remind you of the risks,” said Rose. “If something has fallen off your radar, this could be the time for a wakeup call.”
When looking at cybersecurity risks, you should look at how your attack surface is evolving as you move to the cloud or shift back to on-prem solutions, said Meeus. You should also identify the “crown jewels” in your network that would be most attractive to attackers. “Don’t look for one solution,” added Sripenrumbudur. “Instead, you should deploy layers of protection and be prepared for anything.”
Ransomware remains a top concern for organizations in healthcare, utilities and other sectors with many potential attack vectors. “Ransomware is still a profitable model,” said Rose. “What we’re seeing now is double dipping. After attackers receive the first payment, they ask for more money before giving you the key. And there’s no guarantee that the key will actually unlock your data.”
Meeus said organizations must have an up-to-date offline backup to restore the network after a ransomware attack. “If you don’t, you may not have any choice but to pay the ransom,” he said. “But sending the funds could violate U.S. regulations against funding criminal or terrorist groups.”
Today’s attackers use social engineering techniques like to gain credentials to penetrate the network. One example is a telephone-oriented attack where a caller engages and employee, builds trust and then encourages that person to go to a link. “Attackers know that humans who answer the phone want to help others, and they use this type of technique because it works,” said Kelley.
Another tactic is a “man in the middle” phishing attack designed to compromise a business email so malware can be inserted into the network. “An employee might get a text message to pay an invoice, followed by a voice call and even a video,” said Rose. “That can be a very compelling call to action, and the potential for ‘deepfake’ videos will exacerbate the human side.”
Criminals can also use a variation of denial of service (DOS) attacks, sending dozens of emails with a malware link to the same address. “That can overwhelm someone who thinks there’s a system error and finally clicks on the link to stop the onslaught,” Rose said.
Tools like multifactor authentication (MFA) can offer protection against criminals posing as employees, partners or customers, said the panelists. Organizations that have already implemented this solution can take it to the next level, by linking the ID to the device making a logon request, said Rose. That would raise a red flag if a “local” login is coming from another country, he added.
Sripenrumbudur also noted the importance of securing the coding to prevent malware from being loaded into the network with a new application. “Using open-source software accelerates your time to market, but can also pose a risk,” he said. “So, lean on your development team to ensure good hygiene from the beginning – and don’t accept code from strangers!”