How authentication challenges are driving 6 cybersecurity trends
In the past decade, the security sector has experienced an identity crisis. Insufficient identity verification has led to limitless account takeover, extensive phishing attempts, hacks of IoT devices and even election interferences.
In 2020, we’ll begin to see the full impact of this identity crisis on organizations and individuals all over the world. Here are a few specific trends and predictions relating to the lack of identity authentication and the ramifications this will have on cybersecurity.
Email security will prove to be the weakest link in election security
Email is implicated in more than 90 percent of all cybersecurity attacks, and election infrastructure is also vulnerable to email-based attacks. This means email security must be a priority for thwarting interference with the 2020 presidential election. But research shows the majority of U.S. states are overlooking this vulnerability. Only 5 percent of email domains associated with local election officials across the U.S. have implemented and enforced DMARC.
DMARC is a widely accepted open standard that ensures only authorized senders can send emails from a particular domain—it’s one of the most basic and highly effective means of stopping phishing attacks, which is why the Department of Homeland Security mandated its use for federal agencies in 2017. Yet below the federal level, governments remain vulnerable. In May 2019, we learned Russian hackers breached two county election systems in Florida via a spear-phishing campaign, and in November we learned of a phishing-based ransomware attack on Louisiana during an election cycle.
Because only a tiny percentage of counties and states have DMARC configured at enforcement, email is an easy way in for malicious actors looking to disrupt our elections.
Identity validation will be a major challenge across the entire security sector
Most oeganizations think about cybersecurity in terms of encryption, sandboxing, network segmentation and other defenses, yet overlook the core role of identity. In 2019 we saw enterprises and security vendors increasingly wake up to the importance of identity and access management (IAM) as an integral component of enterprise security, and for good reason.
But granting access is just one slice of the cybersecurity “identity crisis.” Every person, phone, computer and IoT device has an identity that must be authenticated to establish trusted communication. And validating identity is no easy task.
Over Labor Day weekend we saw Twitter CEO Jack Dorsey’s Twitter account get hacked via SIM swapping (which was most likely initiated by an impersonation of Dorsey himself), and incidents of business email compromise (BEC) attacks and social media disinformation campaigns executed by bots are all examples of havoc wreaked when identity is not authenticated.
Deepfake technology will be leveraged in more cyber attacks
In 2020, we’ll see deepfake technologies migrate from proof of concept and occasional attack tool to a more common tactic. Deepfake audio and video can make cyberattacks against individuals and organizations far more sophisticated and convincing, and therefore, more effective.
In 2019, a fraudster used AI voice technology to impersonate the CEO of a German company, convincing an employee to transfer more than $200,000 to the bank of a Hungarian supplier, which was then immediately transferred to another bank in Mexico.
It would be foolish to think cyber criminals all over the world didn’t take notice of this incident, and start exploring how they too could leverage this type of technology to reap similar payouts (for example, by delivering messages via Google Voice).
Scammers will add deepfakes to their toolkits, combining them with already proven successful techniques, such as phone number spoofing and email impersonation, to advance phishing and BEC techniques and propel increasingly targeted attacks. We predict losses from impersonation-based attacks could be in the billions of dollars in 2020, spurred by an increase in the use of deepfake tech.
DMARC adoption will grow across industries
We’ll see a continued increase in Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption. DMARC is a vendor-neutral authentication protocol that allows email domain owners to protect their domain from spoofing, and the number of domains using it has grown 5x in the last 3 years. We’ll see increased growth across several verticals in 2020—especially healthcare and government.
Following the lead of the federal government’s civilian branches, the Department of Defense soon will be requiring all of its domains to enforce DMARC, resulting in an increase in the number of military domains protected. H-ISAC, global nonprofit organization serving the healthcare sector, has urged healthcare companies to adopt DMARC as part of best practices for securing email, and as a result we’ve already seen a rise in adoption rates in this vertical. This growth will continue throughout 2020.
Major brands will lead the way with BIMI
Brand Indicators for Message Identification (BIMI) is an email standard that will change the way people interact with their favorite brands via email. BIMI provides a framework through which an organization can provide an authorized logo for display in the recipients’ inboxes alongside authenticated email from that organization.
BIMI will grow in popularity, especially among large enterprises and prominent brands that rely heavily on the trust and engagement of their customers. In fact, Google will be launching a BIMI pilot in 2020, which will help spur adoption. Research by Verizon Media has shown that BIMI can increase open rates and boost customer engagement, giving marketers a big incentive to support the email authentication that is a prerequisite for BIMI.
IoT/smart city security will continue to grow as a target for attackers
Securing cities must begin with preventing phishers from gaining access to computers where they could push out commands to IoT devices remotely. There are many challenges with IoT security, not the least of which is authenticating device-server communications.
Additionally, using default passwords and outdated encryption makes these systems easy to hack. In 2019, we read about some annoying and spooky incidents based on IoT hacking; however, heading into the New Year, what we really need to be concerned about is hackers targeting energy grids and other major infrastructure to cause serious economic and social disruption.