- Trump taps Sriram Krishnan for AI advisor role amid strategic shift in tech policy
- Interpol Identifies Over 140 Human Traffickers in New Initiative
- 5 network automation startups to watch
- 4 Security Controls Keeping Up with the Evolution of IT Environments
- ICO Warns of Festive Mobile Phone Privacy Snafu
Security Trends for 2024 and Beyond – IT Governance UK Blog
Expert insight from our head of security testing
As we get deeper into 2024, we felt it was time to sit down with our head of security testing, James Pickard, to talk about what trends in cyber security he’s seeing.
He pointed to the rise of AI, and how this is changing cyber security, particularly in terms of social engineering attacks. We also covered other areas, including ransomware trends and how organisations can protect themselves.
About James Pickard
James is an expert penetration tester – and our head of security testing – with more than a decade in the field.
He’s led and executed penetration tests across diverse industries on a global scale. He specialises in two key areas: infrastructure testing and authorisation bypass techniques.
James excels in leadership and technical expertise. He’s managed the penetration testing team since 2018, directing them through tasks, improving testing procedures and cultivating collaborative relationships with clients.
In this interview
Security trends
What security trends have you been seeing or are you anticipating?
There are a few. For one, ransomware will continue to be an issue for organisations, given the financial benefits to threat actors. We’re already seeing signs that ransomware attacks are rising.
AI and machine learning are also playing bigger roles in cyber attacks – unsurprising, of course, given the recent boom in AI, with no signs of slowing down.
One specific way threat actors are using AI is to create sophisticated social engineering attacks. These try to trick users into performing an action to the attacker’s benefit. These can be phishing emails, texts or videos, and with the help of AI, the fakes are becoming harder to distinguish from the real things.
We’re also seeing more and more data leaks, which are becoming increasingly bigger.
There are other trends, but these are some of the bigger ones to keep an eye on.
[You can learn more about how to spot a phishing email in this blog.]
Ransomware
Let’s delve into those one at a time.
On your point about ransomware, you don’t surprise me – anecdotally from the news, there seems to be an increase in ransomware attacks. Plus, Verizon’s 2024 Data Breach Investigations Report found a significant jump in ransomware attacks compared to the 2023 report.
In fact, Verizon didn’t limit itself to ransomware attacks, but broadened this to extortion attacks generally. These days, threat actors don’t limit themselves to what you might think of as ‘traditional’ ransomware, only encrypting your data, but now concentrate on data exfiltration, too.
[Cyber incident responder Vanessa Horton went into more detail on this and other ransomware trends in this interview.]
Does this mean that most cyber attacks ‘may as well’ attempt to extort the victim, as it gives the threat actor a chance to make more money for little additional effort?
In short, no. ‘Cyber crime’ is a broad term – it means any criminal activities carried out by means of computers or the Internet. So, it covers many areas, including:
- Malware
- Identity theft
- Fraud and scams
- Social engineering
If you extort the victim, you’re automatically letting them know they’ve suffered a breach. That may make you additional cash, and is more likely to make the headlines, so people are more aware of these types of attacks.
However, the trick with most crime – cyber crime included – is to remain undetected. If not forever, then for as long as possible. And following detection, the criminal wants to avoid identification and prosecution.
As such, most people and organisations wouldn’t become aware of the incident until it’s too late. The damage has been done, and the threat actor has had a chance to cover their tracks.
AI and social engineering
Earlier, you mentioned AI as playing a bigger role in cyber attacks. How will this new technology affect the cyber security landscape more broadly?
As AI becomes more widely deployed and continues to improve, sophisticated attacks will become more commonplace.
However, AI will also play an integral part in helping to defend against such attacks. AI – and machine learning – are already being used in cyber security, particularly for threat detection.
How might cyber attackers use AI going forward?
Threat actors could use this technology to create unique and complex social engineering attacks – far more easily than before. And much more convincingly, too, through deepfakes and voice cloning.
This may enable less skilled threat actors to deploy more complex attacks, which have better odds of tricking their target.
Does it take skill to deploy deepfakes in this way?
It’s more a case of investing the time than skill.
Fake voices generally require a two-minute recording to start the imitation, but they take a lot longer to perfect. You’ll be able to spot inconsistencies in use of language, pronunciation, talking speed, and so on, unless the attacker puts in more effort.
But the more someone’s content is available online, the easier it’ll be to fake their voice. So, higher-profile people are more likely to be faked.
With that, it’s important people verify their sources, and don’t take things at face value. Big warning signs are if the call, message, etc.:
- Is unexpected;
- Asks you for money; and
- Conveys a sense of urgency.
Growing data leaks
As the ‘barrier to entry’ to crafting sophisticated attacks lowers, will this increase the number of attacks?
The number of cyber attacks is increasing, but not just because it’s easier to create social engineering attacks:
-
AI is generally making it quicker and easier to deliver attacks.
-
Common problems that have been going on for years, like not patching systems, haven’t been addressed as much as they should be, despite schemes like Cyber Essentials raising awareness.
And as organisations collect increasingly larger amounts of data, and the number of servers rises with it, this doesn’t just incentivise threat actors to attack more frequently – it also means that, when successful, they end up with a much bigger ‘prize’. In the past six months, there have been numerous billion-plus-record data breaches.
Why are basic vulnerabilities like unpatched systems such a problem?
Most attacks start as untargeted, which means that organisations with largely unskilled staff and large, public-facing attack surfaces [holding a lot of data] will more likely be breached.
Attackers simply need to exploit one weakness – enough to get a foothold into the organisation. From there, they attempt to escalate their privileges, gaining access to more sensitive data and systems.
As a penetration tester, we do this sort of thing all the time as a proof of concept. If we can get into the client’s systems [without causing damage!], so could a malicious actor.
How to protect your organisation
Are any businesses or government bodies safe from cyber attacks?
I don’t believe any organisation, public or private, is immune to cyber attacks or data breaches.
Regardless of size, virtually every organisation stores PII [personally identifiable information] related to employees and/or customers.
The risk levels vary – ranging from a small business managing paper records with names and addresses, to an international law firm handling extensive customer details, including names, dates of birth, addresses, email addresses, and copies of government-issued identification – but the risk is always there.
What are the first steps for an organisation to protect itself?
Organisations should start with a risk assessment, so they can identify and prioritise their risks, and address them accordingly.
As you evaluate the level of a risk, take factors into account like:
- Is the service publicly accessible?
- What data is being requested and sent?
- From where are the connections being made?
Take, for example, the Terrapin attack, which exploits vulnerabilities in the SSH [Secure Shell] transport protocol.
To exploit them, the attacker would need to be in an MITM [man-in-the-middle] scenario to compromise the connection. That means the attack complexity is high – it can’t just be exploited from an external connection, lowering the risk.
Nonetheless, organisations should protect themselves by patching both the client and the server.
Do you have any final words of advice?
Cyber security is a constant battle of shoring up your defences, with no real winners or losers. It’s basically a cat-and-mouse game.
That said, more proactive organisations that take a cyber-defence-in-depth approach will likely be seen as the winners here. This type of solid and multi-faceted strategy significantly reduces the likelihood of successful attacks.
Are you vulnerable to cyber attacks?
Find out with our CREST-accredited penetration testing services, conducted by an expert ethical hacker like James.
Our fixed-price testing packages are suitable for any organisation that wants to identify vulnerabilities targeted by cyber attackers, and close them before a threat actor can exploit them.
We present our findings in a report that’s ideal for small and medium-sized organisations with no prior security testing experience.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
In the meantime, why not check out our interview with cyber incident responder Vanessa Horton on worrying ransomware trends, and what you can do about them?
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.