It is a bit risky writing about the year’s trends and predictions this time around. Certainly, the Covid pandemic has dominated our lives during the past year and thrown many of our predictions out the window. But re-reading my RSA blog post from a year ago, there are still these two themes which are very much at the forefront.
- Better authentication. In the past year, we saw Apple wholeheartedly embrace FIDO and new implementations that extend its features to web-based authentication. Both will go a long way towards implementing this standard. And support for multi-factor authentication continues to improve too, although it still is far from universal. Only 10% of enterprise users use any form of multi-factor authentication for any of their application logins. Given the popularity of smartphones, installing an authentication app on your phone is the easiest form of protection you can get. But wait, there is more bad news: less than 20% of companies in most industries are protected with email authentication tools such as DMARC and SPF. Sadly, most state and local government domains remain unprotected with these technologies.
- Ransomware continues to rise. Various reports (such as this one) show a rise in the number and severity of these attacks, with new exploits and variants being seen every week. Some ransomware is designed specifically to target machine learning data, so that models will report bad results and poison automated security solutions.
But let’s look forward, not backward, and certainly we should discuss where we go with Covid. Now that everyone is working from elsewhere, endpoints are being shared across families, making them more vulnerable to exploits. Google has seen 1M daily phishing attempts across its email infrastructure. And there are tons of phishing lures with Covid-related subject lines, or messages that offer free testing or deals on travel. The virus also demonstrated why business continuity and better risk management decision-making is essential. Security awareness training now starts with the home, and if you are sharing your networks with your family, they need to be trained as well.
RSA’s Anti-fraud group has also found an increase in QR code fraud. These codes became more popular this year to try to promote contactless retail shopping or dining experiences. The bad guys quickly picked up on this trend. They trick users into downloading malicious programs or to use QR codes for a new type of phishing attack that bring users to a malicious copycat website. The above link has a bunch of handy suggestions to discern whether your QR code will bring you to potential malware-infested sites and other tips on how to be more aware of malicious codes.
What does the future hold? We should expect more high-profile victims in 2021. In 2020, Twitter, Zoom, Marriot and Nintendo were the top victims of various social engineering and credential stuffing attacks. None of these were technically sophisticated – the Marriott attack, for example, was successful because it managed to compromise just two employees’ accounts. Better authentication and more security awareness training could have prevented this.
A second issue is that of deep fake videos. What began as innocent and simple photo editing software has evolved into an entire industry that is designed to pollute the online ecosystem of video information. The past couple of years has seen advances in more sophisticated image alteration and using AI tools to create these deep fakes. I also see improvements to that will be harder for recipients to discern, and fakes that will quickly spread across social networks.