The year 2023 saw heightened cybersecurity activity, with both security professionals and adversaries engaged in a constant cat-and-mouse game. Here are some cybersecurity predictions for 2024 to help security professionals. It is crucial to anticipate the key themes likely to dominate the cybersecurity space in 2024.
Cybersecurity is an ever-evolving process that can never be ‘complete’ in the exact sense. The cybersecurity field evolves constantly as technology advances, global events create uncertainty, and threat actors refine and improve their malicious tactics. It is expected that 2024 again emphasizes the critical need to strike a balance between cybersecurity and cyber resilience. Safeguarding mission-critical assets and developing the capacity to anticipate, withstand, recover from, and adapt to cyberattacks remain central to organizational cybersecurity strategies. While preparedness remains one of the most important facets of effective organizational cybersecurity, it can be difficult to plan for the year ahead with so many unknowns.
Five Cybersecurity Predictions for 2024
https://www.securityweek.com/five-cybersecurity-predictions-for-2024/
A Never-Ending Story: Compromised Credentials
Ransomware Attacks Continue to Wreak Havoc
Global Conflicts and Elections Lead to a Rise in Hacktivism
White House Cybersecurity Strategy Triggers Revival of Vulnerability Management
The Emergence of Next-Gen Security Awareness Programs
10 Global Cybersecurity Predictions for 2024
https://www.fticonsulting.com/insights/articles/10-global-cybersecurity-predictions-2024
Election Security Making Headlines
A Two-Sided Approach to Artificial Intelligence
Widespread Adoption of Zero-Trust Architecture
Cities Integrating IoT into Critical Infrastructure
Increasing Cybersecurity Supply Chain Risks
Third Party Scrutiny Taking Priority for Compliance Officers
The Start of Significant Fines From Australian Regulators
Corporate Responsibility Shifting to Individuals
Organizational Transparency Surrounding Cybersecurity
Emergence of Incentivized Cybersecurity
Experts Talk: Predicting the Cybersecurity Landscape in 2024
Spiceworks News & Insights brings you expert insights on what to expect in cybersecurity in 2024.
https://www.spiceworks.com/it-security/security-general/articles/cybersecurity-predictions-2024/
By investing in AI governance tools and developing complimentary guardrails, companies can avoid what may end up being the biggest misconception in 2024: the assumption that you can control the adoption of AI.
“In 2024, we can expect a surge in malicious AI-generated content.”
“Organizations’ inability to identify the lineage of AI will lead to an increase in software supply chain attacks in 2024,”
The integration of AI into the development process, particularly in the CI/CD pipeline, is crucial.
“Cyberattacks overall are expected to increase; ransomware groups are targeting vendors, government agencies, and critical infrastructure in the United States.”
How can AI help threat actors: “With the assistance of AI, particularly generative AI (GenAI) technology, attackers will be able to refine their techniques, increasing their speed and effectiveness. GenAI will allow criminal cyber groups to quickly fabricate convincing phishing emails and messages to gain initial access into an organization.”
“If cyber leaders want to take on this responsibility (and burden), they will have to be reasonably informed of cyber risks faced by the organization and able to communicate those risks to investors,”
“Third-party risk management is no longer an experiment; it’s an expectation,”
“We will see breaches related to Kubernetes in high-profile companies,”
API Security Trends and Projections for 2024
https://www.spiceworks.com/it-security/application-security/guest-article/api-security-trends-and-projections/
1. The pervasiveness of API vulnerabilities – These vulnerabilities in AAA, if exploited, can lead to major security breaches.
2. Limitations of standard frameworks – While foundational, traditional frameworks like the OWASP API Security Top-10 have limitations in addressing the dynamic nature of API threats.
3. Leak protection – The report highlighted the critical need for enhanced API leak protection, especially considering significant breaches at companies like Netflix and VMware.
4. Rising threats and strategic recommendations – The Wallarm report identified injections as the most pressing API threat, underscoring their likelihood of significant damage.
Gartner’s 8 Cybersecurity Predictions for 2023-2025
https://krontech.com/gartners-8-cybersecurity-predictions-for-2023-2025
By 2025, 60% of organizations will use cybersecurity risk as the primary determinant in conducting third-party transactions and business relationships. Investors, especially venture capitalists, use cybersecurity risk as an important factor in evaluating opportunities.
1. By the end of 2023, modern data privacy laws will cover the personal information of 75% of the world’s population.
2. By 2024, organizations that adopt a cybersecurity network architecture will be able to reduce the financial costs of security incidents by an average of 90%.
3. By 2024, 30% of enterprises will deploy cloud-based Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS), sourced from the same vendor.
4. By 2025, 60% of organizations will use cybersecurity risk as the primary determinant in conducting third-party transactions and business relationships.
5. The percentage of states that enact laws regulating ransomware payments, fines and negotiations will increase from less than 1% in 2021 to 30% by the end of 2025.
6. By 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member.
7. By 2025, 70% of CEOs will build a culture of corporate resilience to protect themselves from threats from cybercrime, severe weather events, social events, and political instability.
8. By 2025, cyber-attackers will be able to use operational technology environments as weapons successfully enough to cause human casualties.
Top 10 Cyber Security Trends And Predictions For 2024
https://www.splashtop.com/blog/cybersecurity-trends-and-predictions-2024
Trend 1: Increased Focus on AI and Machine Learning in Cybersecurity
Trend 2: Growing Importance of IoT Security
Trend 3: Expansion of Remote Work and Cybersecurity Implications
Trend 4: The Rise of Quantum Computing and Its Impact on Cybersecurity
Trend 5: Evolution of Phishing Attacks
Trend 6: Enhanced Focus on Mobile Security
Trend 7: Zero Trust Security
Trend 8: Cybersecurity Skills Gap and Education
Trend 9: Blockchain and Cybersecurity
Trend 10: Cybersecurity Insurance Becoming Mainstream
6 Predictions About Cybersecurity Challenges In 2024
https://www.forbes.com/sites/edwardsegal/2023/12/09/6-predictions-about-cybersecurity-challenges-in-2024/?sh=172726819433
‘Uptick in Disruptive Hacktivism’
Election Interference
More Targeted Attacks
Fooling Users
Leveraging AI Tools
‘New Avenues For Cybercrime’
5 cybersecurity predictions for 2024
https://www.fastcompany.com/90997838/5-cybersecurity-predictions-for-2024
1. Advanced phishing
2. AI-powered scams
3. Increase in supply chain attacks
4. Deployment of malicious browser extensions
5. Changing demographics brings more threats
Top cybersecurity predictions of 2024
https://www.securitymagazine.com/articles/100271-top-cybersecurity-predictions-of-2024
Adoption of passwordless authentication
Multi-Factor Authentication (MFA) will become a standard requirement for most online services and applications. Traditional methods like SMS-based MFA will decline in favor of more secure options, such as time-based one-time passwords (TOTP) generated by authenticator apps.
Both enterprises and consumers are increasingly adopting passwordless solutions across various sectors. Transitioning to a passwordless mindset may appear unconventional, as it requires users to change their habits. However, the enhanced security and the seamless experience it offers reduce the learning curve, making the transition more user-friendly.
Cybersecurity will be a higher priority for law firms
For nearly any law firm, part of the ‘big picture’ approach to cybersecurity includes an ability to scale detection and response capabilities.
Artificial intelligence and large language models
Phishing and BEC attacks are becoming more sophisticated because attackers are using personal information pulled from the Dark Web (stolen financial information, social security numbers, addresses, etc.), LinkedIn and other internet sources to create targeted personal profiles that are highly detailed and convincing. They also use trusted services such as Outlook.com or Gmail for greater credibility and legitimacy.
We should also expect the rise of 3D attacks, meaning not just text but also voice and video. This will be the new frontier of phishing. We are already seeing highly realistic deep fakes or video impersonations of celebrities and executive leadership.
I expect to see a major breach of an AI company’s training data exposing the dark side of large language models (LLM) and the personal data they hold that were scraped from open sources.
One of the big trends we expect to see in 2024 is a surge in use of generative AI to make phishing lures much harder to detect, leading to more endpoint compromise. Attackers will be able to automate the drafting of emails in minority languages, scrape information from public sites — such as LinkedIn — to pull information on targets and create highly-personalized social engineering attacks en masse.
Simultaneously, we will see a rise in ‘AI PC’s’, which will revolutionize how people interact with their endpoint devices. With advanced compute power, AI PCs will enable the use of “local Large Language Models (LLMs)”
With the increase in regulatory and security requirements, GRC data volumes continue to grow at what will eventually be an unmanageable rate. Because of this, AI and ML will increasingly be used to identify real-time trends, automate compliance processes, and predict risks.
Prioritize training
Insider threats are a leading problem for IT/security teams — many attacks stem from internal stakeholders stealing and/or exploiting sensitive data, which succeed because they use accepted services to do so. In 2024, IT leaders will need to help teams understand their responsibilities and how they can prevent credential and data exploitation.
On the developer side, management will need to assess their identity management strategies to secure credentials from theft, either from a code repository hosted publicly or within internal applications and systems that have those credentials coded in. On the other hand, end users need to understand how to protect themselves from common targeted methods of attack, such as business email compromise, social engineering and phishing attacks.
Security teams need to prioritize collaboration with other departments within their organization to make internal security training more effective and impactful.
Humans Are Notoriously Bad at Assessing Risk
https://www.epanorama.net/newepa/2022/12/31/cyber-trends-for-2023/
We as humans, with our emotions, can sometimes be irrational and subjective. When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality.
Threat Intel: To Share or Not to Share is Not the Question
https://www.securityweek.com/threat-intel-to-share-or-not-to-share-is-not-the-question/
To share or not to share isn’t the question. It’s how to share, what to share, where and with whom. The sooner we arrive at answers, the safer we’ll be collectively and individually.
Addressing the State of AI’s Impact on Cyber Disinformation/Misinformation
https://www.securityweek.com/addressing-the-state-of-ais-impact-on-cyber-disinformation-misinformation/
The recent rapid rise of artificial intelligence continues to be a game-changer in many positive ways. Yet, within this revolution, a shadow looms. By embracing a strategy that combines technological advancements with critical thinking skills, collaboration, and a culture of continuous learning, organizations can safeguard against AI’s disruptive effects.
319 Comments
Tomi Engdahl says:
Risk Management
Fortifying the Weakest Link: How to Safeguard Against Supply Chain Cyberattacks
As organizations have fortified their defenses against direct network attacks, hackers have shifted their focus to exploiting vulnerabilities in the supply chain to gain backdoor access to systems.
https://www.securityweek.com/fortifying-the-weakest-link-how-to-safeguard-against-supply-chain-cyberattacks/
Tomi Engdahl says:
Cloud Security
Cracking the Cloud: The Persistent Threat of Credential-Based Attacks
Credentials are still the most common entry point for bad actors, even as businesses deploy multi-factor authentication (MFA) to strengthen defenses.
https://www.securityweek.com/cracking-the-cloud-the-persistent-threat-of-credential-based-attacks/
Tomi Engdahl says:
If credentials already pose a significant security concern, the question then becomes, what to do? One X-Force recommendation is fairly obvious: use AI to defend against AI. Other recommendations are equally obvious: strengthen incident response capabilities; and use encryption to protect data at rest, in use, and in transit.
But these alone do not prevent bad actors getting into the system through credential keys to the front door. “Build a stronger identity security posture,” says X-Force. “Embrace modern authentication methods, such as MFA, and explore passwordless options, such as a QR code or FIDO2 authentication, to fortify defenses against unauthorized access.”
It’s not going to be easy. “QR codes are not considered phish resistant,” Chris Caridi, strategic cyber threat analyst at IBM Security X-Force, told SecurityWeek. “If a user were to scan a QR code in a malicious email and then proceed to enter credentials, all bets are off.”
But it’s not entirely hopeless. “FIDO2 security keys would provide protection against the theft of session cookies; and the public/private keys factor in the domains associated with the communication (a spoofed domain would cause authentication to fail),” he continued. “This is a great option to protect against AITM.”
https://www.securityweek.com/cracking-the-cloud-the-persistent-threat-of-credential-based-attacks/
Tomi Engdahl says:
https://www.infoworld.com/article/3497016/what-is-http-3-the-next-generation-web-protocol.html
Tomi Engdahl says:
OpenZiti: Secure, open-source networking for your applications
OpenZiti is a free, open-source project that embeds zero-trust networking principles directly into applications.
https://www.helpnetsecurity.com/2024/09/09/openziti-secure-open-source-networking/
Tomi Engdahl says:
https://www.dna.fi/yrityksille/blogi/-/blogs/onko-yrityksesi-varautunut-kyberuhkiin-10-vinkkia-kyberturvan-varmistamiseksi?utm_source=facebook&utm_medium=social&utm_content=LAA-artikkeli-onko-yrityksesi-varautunut-kyberuhkiin-10-vinkkia-kyberturvan-varmistamiseksi&utm_campaign=AK_LAA_24-40-43_kyberturva2025_artikkelikampanja_&fbclid=IwZXh0bgNhZW0BMAABHSB8B9GFsrf_COYR0S29mv8oyAVKJvayb58Jvw–TW1w5K6u_8xBcX8k6w_aem_N8FqQnxV7vrZWL0XTLKPIQ
Tomi Engdahl says:
https://www.dna.fi/yrityksille/kyberturva-2025-aamiaistilaisuus
Tomi Engdahl says:
VPN providers don’t protect your privacy online. Here’s what can.
https://techcrunch.com/2024/09/30/vpn-providers-do-not-protect-your-privacy-online-here-is-what-can/
If you’ve heard that a VPN provider can help protect your privacy and security online, don’t believe the hype. The truth is that most people don’t actually need a VPN.
By funneling all of your internet traffic through their own servers, VPN providers expose their customers to the very privacy risks they claim to help defend against, including having their internet browsing records stolen by cybercriminals or obtained by legal order.
Tomi Engdahl says:
Älä ota kesädomainia! – verkkotunnukset ovat arvokasta omaisuutta
Tietoturva Nyt!
Julkaistu 03.10.2024 15:37
Verkkotunnukset ovat nykyisin merkittävää aineetonta omaisuutta ja niistä kannattaa pitää huolta. Verkkotunnuksen päätyminen toisen käsiin voi olla kiusallista tai jopa vaarantaa tietoturvaa, eikä verkkotunnusta yleensä saa helposti takaisin.
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/ala-ota-kesadomainia-verkkotunnukset-ovat-arvokasta-omaisuutta
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-defender-now-automatically-detects-unsecure-wi-fi-networks/
Tomi Engdahl says:
Opportunities for Early Detection and Prediction of Ransomware Attacks against Industrial Control Systems
https://www.mdpi.com/1999-5903/15/4/144?utm_campaign=journnews_ccbj_futureinternet&utm_medium=social_journ&utm_source=facebook&fbclid=IwZXh0bgNhZW0BMAABHcyBrwHEdi1WkFRTIW0MiSY8cwjdoqDoctA897zRomiDcQkeEJjUrEjDpA_aem_69wQ9C8O6BLdhrOnQAbYoQ
Tomi Engdahl says:
https://nerdynet.com/nain-mdr-eroaa-perinteisista-kyberturvallisuusratkaisuista/
Tomi Engdahl says:
Fortifying the Weakest Link: How to Safeguard Against Supply Chain Cyberattacks
As organizations have fortified their defenses against direct network attacks, hackers have shifted their focus to exploiting vulnerabilities in the supply chain to gain backdoor access to systems.
https://www.securityweek.com/fortifying-the-weakest-link-how-to-safeguard-against-supply-chain-cyberattacks/
Tackling Supply Chain Hazards
Failures in systems and processes by third parties can lead to catastrophic reputational and operational damage. It is no longer sufficient to merely implement basic vendor management procedures. Organizations must also take proactive measures to safeguard against third-party control failures. So how can this be achieved?
Advanced Supplier Risk Management: Ensure all suppliers and third-party vendors adhere to strict cybersecurity protocols. Assess their compliance with relevant standards (e.g., ISO 27001, NIST, GDPR). Evaluate vendors based on the sensitivity of the data they handle and the criticality of the services they provide. Consider requiring suppliers to use independent verification services to test software applications before procurement and deployment.
Secure the Software Development Pipeline: Protect administrative access to the tools and applications used by DevOps teams. Enable secure application configuration via secrets and authenticate applications and services with high confidence. Mandate that software suppliers certify and extend security controls to cover microservices, cloud, and DevOps environments.
Regular Software and System Updates: Ensure that your systems and those of your suppliers are regularly updated and patched for known vulnerabilities. Prevent the use of unsupported or outdated software that could introduce new vulnerabilities.
Harden Your Environment: Configure cloud environments to reject authorization requests involving tokens that deviate from accepted norms. For on-premises systems, follow the National Security Agency’s guidelines by deploying a Federal Information Processing Standards (FIPS)-validated Hardware Security Module (HSM) to store token-signing certificate private keys. HSMs significantly reduce the risk of key theft by threat actors.
Implement Strong Access Controls: Limit third-party vendor access to only the data and systems necessary for their operations. Ensure they cannot access other areas of your network. Require multi-factor authentication for vendors accessing your systems. Adopting a Zero Trust approach ensures continuous verification of all users—both internal and external—before granting access.
Utilize Security Tools and Technologies: Segment your network to prevent attackers from moving laterally if they manage to breach one section. Use Endpoint Detection and Response (EDR) solutions to detect malicious activities on devices connected via third parties. Encrypt sensitive data shared with suppliers, both at rest and in transit. A robust cybersecurity posture requires readiness for data security breaches, especially as data moves through various channels like email, cloud, and AI tools. Thus, business continuity and disaster recovery (BCDR) solutions have become essential components of the modern technology stack.
Adopt Frameworks and Best Practices: Implement the NIST cybersecurity framework to help identify, protect, detect, govern, respond to, and recover from cyber threats. Also consider adopting supply chain-specific frameworks like the Shared Assessments Standardized Information Gathering (SIG) or ISO 28001 for supply chain security management.
Contractual and Legal Safeguards: Incorporate cybersecurity requirements into vendor contracts, including mandatory security controls, data protection measures, and breach notification obligations. For high-risk vendors, require third-party audits or independent security assessments.
Tomi Engdahl says:
MFA Isn’t Failing, But It’s Not Succeeding: Why a Trusted Security Tool Still Falls Short
Multi-factor authentication is a necessary safeguard, but its limitations show why organizations can’t rely on it alone to prevent breaches.
https://www.securityweek.com/mfa-isnt-failing-but-its-not-succeeding-why-a-trusted-security-tool-still-falls-short/
To say that multi-factor authentication (MFA) is a failure is too extreme. But we cannot say it is successful – that much is empirically obvious. The important question is: Why?
MFA is universally recommended and often required. CISA says, “Adopting MFA is a simple way to protect your organization and can prevent a significant number of account compromise attacks.” NIST SP 800-63-3 requires MFA for systems at Authentication Assurance Levels (AAL) 2 and 3. Executive Order 14028 mandates all US government agencies to implement MFA. PCI DSS requires MFA for accessing cardholder data environments. SOC 2 requires MFA. The UK ICO has stated, “We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication…”
Yet, despite these recommendations, and even where MFA is implemented, breaches still occur. Why?
What’s the problem?
Think of MFA as a second, but dynamic, set of keys to the front door of a system. This second set is given only to the identity wishing to enter, and only if that identity is authenticated to enter. It is a different second key delivered for each different entry.
The principle is clear, and MFA should be able to prevent access to inauthentic identities. But this principle also relies on the balance between security and usability. If you increase security you decrease usability, and vice versa. You can have very, very strong security but be left with something equally difficult to use. Since the purpose of security is to enable business profitability, this becomes a conundrum.
Strong security can impinge on profitable operations. This is especially relevant at the point of access – if staff are delayed entry, their work is also delayed. And if MFA is not at maximum strength, even the company’s own staff (who simply want to get on with their work as quickly as possible) will find ways around it.
“Simply put,” says Jason Soroko, senior fellow at Sectigo, “MFA raises the difficulty for a malicious actor, but the bar often isn’t high enough to prevent a successful attack.” Discussing and solving the required balance in using MFA to reliably keep bad guys out while quickly and easily letting good guys in – and to question whether MFA is really needed – is the subject of this article.
Weaknesses
The primary problem with any form of authentication is that it authenticates the device being used, not the person attempting access. “It’s often misunderstood,” says Kris Bondi, CEO and co-founder of Mimoto, “that MFA isn’t verifying a person, it’s verifying a device at a point in time. Who is holding that device isn’t guaranteed to be who you expect it to be.”
The most common MFA method is to deliver a use-once-only code to the entry applicant’s mobile phone. But phones get lost and stolen (physically in the wrong hands), phones get compromised with malware (allowing a bad actor access to the MFA code), and electronic delivery messages get diverted (MitM attacks).
To these technological weaknesses we can add the ongoing criminal arsenal of social engineering attacks, including SIM swapping (persuading the carrier to transfer a phone number to a new device), phishing, and MFA fatigue attacks (triggering a flood of delivered but unexpected MFA notifications until the victim eventually approves one out of frustration). The social engineering threat is likely to increase over the next few years with gen-AI adding a new layer of sophistication, automated scale, and introducing deepfake voice into targeted attacks.
These weaknesses apply to all MFA systems that are based on a shared one-time code, which is basically just an additional password. “All shared secrets face the risk of interception or harvesting by an attacker,” says Soroko. “A one-time password generated by an app that has to be typed into an authentication web page is just as vulnerable as a password to key logging or a fake authentication page.”
There are more secure methods than simply sharing a secret code with the user’s mobile phone. You can generate the code locally on the device (but this retains the basic problem of authenticating the device rather than the user), or you can use a separate physical key (which can, like the mobile phone, be lost or stolen).
“Yes, MFA works to raise the level of difficulty of attack, but its success depends on the method and context,” adds Soroko. “However, attackers bypass MFA through social engineering, exploiting ‘MFA fatigue’, man-in-the-middle attacks, and technical flaws like SIM swapping or stealing session cookies.”
Implementing strong MFA just adds layer upon layer of complexity required to get it right, and it’s a moot philosophical question whether it is ultimately possible to solve a technological problem by throwing more technology at it (which could in fact introduce new and different problems). It is this complexity that adds a new problem: this security solution is so complex that many companies don’t bother to implement it or do so with only trivial concern.
“MFA has been in use for more than 20 years,” notes Bondi. “As with any tool, the longer it is in existence, the more time bad actors have had to innovate against it. And, frankly, many MFA approaches haven’t evolved much over time.”
Two examples of attacker innovations will demonstrate: AitM with Evilginx; and the 2023 hack of MGM Resorts.
For and against MFA
So, given that MFA clearly gets defeated, and given that it only authenticates the device not the user, should we abandon it?
The answer is a resounding ‘No’. The problem is that we misunderstand the purpose and role of MFA. All the recommendations and regulations that insist we must implement MFA have seduced us into believing it is the silver bullet that will protect our security. This simply isn’t realistic.
Consider the concept of crime prevention through environmental design (CPTED).
Simplified, the theory suggests that a space built with access control, territorial reinforcement, surveillance, continuous maintenance, and activity support will be less subject to criminal activity. It will not stop a determined burglar; but finding it hard to get in and stay hidden, most burglars will simply move to another less well designed and easier target. So, the purpose of CPTED is not to eliminate criminal activity, but to deflect it.
This principle translates to cyber in two ways. Firstly, it recognizes that the primary purpose of cybersecurity is not to eliminate cybercriminal activity, but to make a space too difficult or too costly to pursue. Most criminals will look for somewhere easier to burgle or breach, and – sadly – they will almost certainly find it. But it won’t be you.
Secondly, note that CPTED talks about the complete environment with multiple focuses. Access control: but not just the front door. Surveillance: pentesting might locate a weak rear entry or a broken window, while internal anomaly detection might uncover a burglar already inside. Maintenance: use the latest and best tools, keep systems up to date and patched. Activity support: adequate budgets, good management, proper recompense, and so on.
These are just the basics, and more could be included. But the primary point is that for both physical and cyber CPTED, it is the whole environment that needs to be considered – not just the front door.
That’s how we should consider MFA: an essential part of security, but only a part. It won’t defeat everyone but will perhaps delay or divert the majority. It is an essential part of cyber CPTED to reinforce the front door with a second lock that requires a second key.
Since the traditional front door username and password no longer delays or diverts attackers (the username is usually the email address and the password is too easily phished, sniffed, shared, or guessed), it is incumbent on us to strengthen the front door authentication and access so this part of our environmental design can play its part in our overall security defense.
The obvious way is to add an additional lock and a one-use key that isn’t created by nor known to the user before its use. This is the approach known as multi-factor authentication. But as we have seen, current implementations are not foolproof. The primary methods are remote key generation sent to a user device (usually via SMS to a mobile device); local app generated code (such as Google Authenticator); and locally held separate key generators (such as Yubikey from Yubico).
Each of these methods solve some, but none solve all, of the threats to MFA. None of them change the fundamental issue of authenticating a device rather than its user, and while some can prevent easy interception, none can withstand persistent, and sophisticated social engineering attacks. Nevertheless, MFA is important: it deflects or diverts all but the most determined attackers.
If one of these attackers succeeds in bypassing or defeating the MFA, they have access to the internal system. The part of environmental design that includes internal surveillance (detecting bad guys) and activity support (assisting the good guys) takes over. Anomaly detection is an existing approach for enterprise networks. Mobile threat detection systems can help prevent bad guys taking over mobile phones and intercepting SMS MFA codes.
Zimperium’s 2024 Mobile Threat Report published on September 25, 2024, notes that 82% of phishing sites specifically target mobile devices, and that unique malware samples increased by 13% over last year. The threat to mobile phones, and therefore any MFA reliant on them is increasing, and will likely worsen as adversarial AI kicks in.
As we’ve seen, MFA will not stop the determined attacker. “You need sensors and alarm systems on the devices,” he continues, “so you can see if anyone is trying to test the boundaries and you can start getting ahead of these bad actors.”
The important takeaway from this discussion is that you cannot rely on MFA to keep your systems safe – but it is an essential part of your overall security environment. Security is not just protecting the front door. It starts there, but must be considered across the whole environment. Security without MFA can no longer be considered security.
Tomi Engdahl says:
MITRE Announces AI Incident Sharing Project
MITRE’s AI Incident Sharing initiative helps organizations receive and hand out data on real-world AI incidents.
https://www.securityweek.com/mitre-announces-ai-incident-sharing-project/
Tomi Engdahl says:
Ohjelmistoturvallisuuden tila 2023
https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/publication/Ohjelmistoturvallisuuden%20tila%202023.pdf
Tomi Engdahl says:
Incident Response
Improving SecOps: How Simplification, Visibility, and Analytics Can Drive Success
How simplifying complexity, enhancing visibility, and empowering analysis can address key challenges in modern cybersecurity operations and investigations.
https://www.securityweek.com/improving-secops-how-simplification-visibility-and-analytics-can-drive-success/
Tomi Engdahl says:
Looking at Security Challenges Through the Lens of Different Roles
What are CISOs and security leaders prioritizing versus the security operators?
https://www.securityweek.com/looking-at-security-challenges-through-the-lens-of-different-roles/
Tomi Engdahl says:
Network Security
Watch on Demand: Zero Trust Strategies Summit – All Sessions Available
With all sessions now available on demand, the online summit is laser focused on helping organizations to level up their Identity and Zero Trust security strategies.
https://www.securityweek.com/securityweek-to-host-zero-trust-strategies-summit-as-virtual-event-on-october-9th/