The five top cyber security trends of 2023.

If themes such as Zero Trust were big in 2022, what are the cyber trends that should concern us a year later? ?Here, we examine some ongoing and recent trends that are preoccupying cyber security professionals in the year ahead.

Ransomware – a restless evolution

SME threat level: Very high

Outwardly, ransomware in 2023 looks much as it did a year or two ago; there’s a lot of it around and despite governments advising against paying ransoms, many victims are still handing over substantial sums to the criminals. However, look more closely and it’s clear that its evolution continues apace.

Today, we see changed thinking from both attackers and defenders. On the criminal side, two trends are discernible. The first is the established trend of multi-vector extortion in which attackers not only encrypt data but steal it and threaten to expose it.? This is backed up with threats to contact third parties affected by a breach and perhaps a nasty Distributed Denial-of-Service (DDoS) attack thrown in for good measure.

A second and more recent tactic is to focus exclusively on data theft for extortion. The obvious example of this is the recent zero-day compromise of Progress Software’s widely used MOVEit file transfer gateways. To work, this approach requires scale, which MOVEiT’s 1,700 enterprise customers offer. For the price of a single compromise, you can extort large numbers of victims, which turns the business model into a game of percentages. The Clop ransomware group claimed the attack, telling a website that it had moved on from encryption attacks.

On the defending side, the debate over whether to pay extortionists refuses to go away. ?In the U.S., the FBI has been against paying for some time and the Biden administration has recently dropped hints it might soon ban at least some ransom payments.

Business Email Compromise (BEC) – the threat everyone forgot

SME threat level: Very high

With all the headlines grabbed by ransomware attacks, the threat from BEC fraud tends to get overlooked and yet it is evolving just as rapidly. Part of the problem is that BEC attacks are by their nature less obvious. No ransomware note is ever sent and the first people to know anything untoward has happened are often the finance department rather than IT.

During 2022, the FBI’s IC3 complaint centre recorded an astonishing 21,832 BEC incidents which resulted in losses of more than $2.7 billion,? not only an all-time record but many times the figure for the equivalent U.S. ransomware losses. A big part of BEC’s continued success is that it is now deployed via powerful platforms which specialise in this type of attack. These allow attackers to automate a range of techniques for compromising credentials (BEC is still about breaking into email systems to impersonate legitimate users), defeating geographical blocks on non-local IP addresses using residential proxies, and executing sophisticated forms of social engineering.

API attacks – cyber criminals spot a new opportunity

SME threat level: High

Behind every great web lies an application programming interface (API). In truth, it’s probably dozens when you add up all the third-party APIs that are now in use, so much so that in 2019 content delivery giant Akamai estimated that 83% of all web-related traffic was to and from APIs. If you don’t use multiple APIs in 2023, you’re probably not in business.

APIs started life decades ago as a tool to make programming easier. Then e-commerce companies realized that putting data behind an API would allow them to share and sell vast amounts of data – the modern software and data economy was born. But all this API wizardry has come at the long-term cost of security. Ultimately, APIs are just a software gateway to something, for example, a database. That means they can suffer from many of the same software and authentication vulnerabilities as normal applications. Criminals have noticed this, which has resulted in a series of hacks and scraping attacks involving APIs. This has been aided by the fact that many organisations now use so many APIs (including old ones they’ve forgotten about), they have lost track of them. Security teams can’t keep up.? Belatedly, organisations have realised that this is a security weakness.

Multi-factor authentication – not a magic shield after all

SME threat level: Medium

Today, credentials are probably the biggest universal vulnerability. Attackers devote huge resources to stealing them, knowing that they offer a way to impersonate legitimate users in order to bypass layers of network security. The answer to this problem is multi-factor authentication (MFA), which requires the users to enter an extra credential (a code or present a token) to gain access to an account. Without a doubt, MFA works; numerous surveys show that accounts without MFA turned on are far more likely to be breached.

The caveat is that some types are more secure than others, for example, FIDO2 tokens are extremely secure while codes sent via SMS text messages aren’t.? Increasingly, criminals are finding ways to game MFA or even bypass it altogether. MFA fatigue attacks are a prime example in which attackers who have stolen account passwords bombard their owners with fake push notifications until they click ‘yes’ in exasperation. Worse still, attacks that steal session cookies bypass MFA completely, rendering even the most secure forms moot.

AI disinformation – the liar’s dividend

SME threat level: Low

We’re still living in the foothills of artificial intelligence (AI) and its impact on cyber security, but already, commentators are summoning up some troubling scenarios it might unleash. Many of these are speculative but one that is entirely plausible is the effect on information and disinformation.

An obvious problem here is that the ability of AI to create plausible deep fakes and disinformation is advancing faster than the ability of humans and social media to understand this is happening. The incentive to use AI in this way is overwhelming. Conflicts between nations are increasingly fought through information v disinformation, in which the latter drowns out and confuses people’s understanding of real information. Reality becomes wholly mediated to sow doubt in genuine sources.

So far, disinformation has mostly targeted countries but there is no reason it couldn’t be used against organisations or individuals too. Disinformation is a lot older than AI, but AI’s appearance makes it much easier to utilise at scale.

Visit our website for more insights:?https://www.british-assessment.co.uk/insights/