3 Emerging Digital Dangers

Companies will need to guard against even more digital threats in the not-too-distant future. Here are three of those emerging digital dangers.

When it comes to securing IT assets, businesses have a lot to worry about. Ransomware, business email scams, and phishing attacks are only a few of the many digital dangers they need to keep at bay.

Unfortunately, companies will need to guard against even more threats in the not-too-distant future. Research by BlackBerry Cylance and other firms has identified three emerging digital dangers that will likely become more prevalent in 2020 and beyond:

 

  1. Misconfigured Cloud Resources

With so many external threats to defend against, it is easy for businesses to overlook internal ones. One frequently overlooked danger is misconfigured cloud resources (e.g., apps, services). Misconfigured resources can create security gaps, which might be exploited by cybercriminals. For example, researchers at BlackBerry Cylance found that improper configurations led to at least three data leaks every month in 2019. As a result, more than 7 billion records were exposed to the public.

Having misconfigured cloud resources is a common problem. For instance, researchers at McAfee discovered that companies using Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) public clouds have an average of 14 misconfigured services running at any given time.

There are several reasons why misconfigurations occur. Chief among them is the assumption that cloud service providers are responsible for securing public clouds and everything that customers put in them. In reality, most providers of public cloud services follow what is known as the shared responsibility model. In this model, both the cloud service provider and the customer using its services are responsible for securing various elements in public clouds — and since misconfigured resources can lead to cyberattacks, making sure resources are properly configured is an important part of that responsibility. The elements that each party must secure depend largely on the type of cloud services being provided, as Table 1 shows.

Some businesses understand their security responsibilities but struggle to carry them out. For example, they might not have the expertise or the time needed to secure the resources for which they are responsible. If your organization is in that predicament, we can assist with creating and deploying a cloud security strategy.

 

  1. Deepfake Scams

Deepfakes — counterfeit video or audio clips of people that appear to be real — are on the rise, according to research by BlackBerry Cylance and Deeptrace. They are called deepfakes because these fake clips are typically created with a deep learning system, which is a form of artificial intelligence (AI).

In 2019, most of the deepfakes were either pornographic or designed to propagate political disinformation. There was one notable exception, though. AI-based software was used to mimic a German executive’s voice over the phone. The impersonation was so accurate that the person who received the call had no reason to suspect it was a deepfake recording, so he transferred $243,000 [USD] to a bank account as instructed.

Now that cybercriminals know that a lot of money can be made from deepfake phone scams, businesses can expect more of them. Deepfake video calls could potentially be used to scam companies as well. Forrester is predicting that the costs associated with these types of deepfake scams will exceed $250 million by the end of 2020.

 

  1. Vulnerable Vehicles

The modern vehicles used by businesses and consumers alike often include many advanced technologies such as geolocation devices, cameras, network communication systems, and remote sensing technology. And many of these technologies are collecting large amounts of data. As a result, modern vehicles have advanced to the point where they closely resemble edge computing devices, according to BlackBerry Cylance researchers.

However, many automobile manufacturers and their suppliers are struggling to secure those technologies, according to a 2019 study on cybersecurity practices in the automotive industry. Nearly 600 professionals responsible for contributing to or assessing the security of automotive components participated in the study. A majority of them (84%) are concerned that their employers’ cybersecurity practices are not keeping pace with the evolving security landscape. Equally troubling is that 63% admitted that their employers test less than half of the hardware, software, and other technologies for security vulnerabilities.

Not having security vulnerabilities discovered and patched is likely leaving vehicles vulnerable to cyberattacks Compounding the problem is that vehicles are on the road longer these days. In the United States, for example, the average age of cars and trucks hit a record high of 11.8 years in 2019. This gives cybercriminals ample time to figure out ways to compromise a vehicle, especially if it has not received the necessary software or firmware updates. “If steps to improve vehicle security are not taken soon, automobiles may well become the target of choice for attackers seeking easy victims,” according to the BlackBerry Cylance researchers.


Table 1: Shared Responsibility Model in Public Clouds

 

Type of Cloud Service Company’s Responsibilities Provider’s Responsibilities
Infrastructure-as-a-Service (IaaS) Responsible for securing just about everything it puts in the cloud, including business apps, other types of software being used (e.g., operating system software, middleware), and the data being stored. Also responsible for securing network traffic and controlling employees’ access to the business apps and other software in the cloud. Responsible for protecting the underlying cloud infrastructure (i.e., the servers, hypervisor, networking equipment, and other components used to provide the cloud service)
Platform-as-a-Service (PaaS) Responsible for securing the business apps it is running in the cloud, employees’ access to those apps, and the data being stored. Responsible for protecting the underlying cloud infrastructure and many elements in the company’s cloud, except for the customer’s data, business apps, and employee access controls.
Software-as-a-Service (SaaS) Responsible for controlling employees’ access to the SaaS app and backing up its cloud data to protect against data loss due to accidental deletions and security attacks.* Responsible for protecting just about everything, including the underlying cloud infrastructure and the SaaS app.
* Although SaaS providers must protect against data loss due to operational failures (e.g., natural disasters, equipment breakdowns), the vast majority of them explicitly state in their terms and conditions that it is the company’s responsibility to protect against data loss due to accidental deletions and security attacks, according to a Forrester report.

Danger flickr photo by spcbrass shared under a Creative Commons (BY-SA) license