Category: For technologists

Penetration testing – pen tests – traditionally have been something companies might do once or twice a year.

Related: Cyber espionage is on the rise

Bad news is always anticipated. That’s the whole point. The pen tester’s assignment is to seek out and exploit egregious, latent vulnerabilities – before the bad guys — thereby affording the organization a chance to shore up its network defenses.

Pen testing has limitations, of course. The probes typically take considerable effort to coordinate and often can be more disruptive than planned.

These shortcomings have been exacerbated by digital transformation, which has vastly expanded the network attack surface.

Guest expert: Snehal Antani, CEO, Horizon3.ai

I had the chance at Black Hat 2022 to visit with Snehal Antani and Monti Knode, CEO and director of customer success, respectively, at Horizon3.ai, a San Francisco-based startup, which launched in 2020. Horizon3 supplies “autonomous” vulnerability assessment technology.

Co-founder Antani previously served as the first CTO for the U.S. Joint Special Operations Command (JSOC)  and Knode was a commander in the U.S. Air Force 67th Cyberspace Operations Group. They argue that U.S. businesses need to take a wartime approach the cybersecurity. For a full drill down, please give the accompanying podcast a listen.

Horizon3’s flagship service, NodeZero, is designed to continuously assess an organization’s network attack surface to identify specific scenarios by which an attacker might combine stolen credentials with misconfigurations or software flaws to gain a foothold.

Will pen testing make a great leap forward? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Web application attacks directed at organizations’ web and mail servers continue to take the lead in cybersecurity incidents.

Related: Damage caused by ‘business logic’ hacking

This is according to Verizon’s latest 2022 Data Breach Investigations Report (DBIR).

In the report’s findings, stolen credentials and exploited vulnerabilities are the top reasons for web breaches. This year, these were the top reasons for web breaches.

•A whopping 80 percent were due to stolen credentials (nearly a 30 percent increase since 2017!)

•Exploited vulnerabilities were the second leader at almost 20 percent

•Brute forcing passwords (10 percent) came in third

•Backdoors or C2 (10 percent) were the fourth runner-ups

Poor password practices are responsible for most incidents involving web applications and data breaches since 2009. Password security may seem like a simple solution for a huge problem, but it may be difficult to successfully implement in practice. Ignoring it, on the other hand, can lead to complications such as an unwarranted data breach.

Without strong, secure passwords or two-factor authentication (2FA) enabled in an organization or startup, it becomes easy for attackers to access stolen credentials on their web and email servers.

Consequently, sensitive data can become compromised, ending up in the wrong hands. In 2022, 69 percent of personal data and 67 percent of credentials became compromised in a web breach. This data strongly indicates that password management and 2FA are crucial for any organization or startup to become more secure from web attacks.

We’ve shared some helpful guidance on password security at Zigrin Security blog.

Shifting exposures

The landscape of the cyber domain is in flux. Money-motivated cybercriminals are no longer the main attackers on the web as a rise in nation-state attackers motivated by espionage comes in a close second for dominating web breaches.

Czarnecki

Moreover, 65 percent of web breaches are motivated by financial gains, and 31 percent are due to espionage motives. Both types of attacker’s target organizations, often those with weak credentials.

Strong password security for any organization or startup can avoid and reduce the number of attacks via default, shared, or stolen credentials on the web.

“From the chart, it is evident that many intrusions exploit the basic (mis)management of identity. Unauthorized access via default, shared, or stolen credentials constituted more than a third of the entire Hacking category and over half of all compromised records. It is particularly disconcerting that so many large breaches stem from the use of default and/or shared credentials, given the relative ease with which these attacks could be prevented.” (2009 DBIR page 17) 

It’s not just a web thing. It’s an e-mail thing too. Although web servers constitute nearly 100 percent of web breaches, 20 percent of mail servers have been compromised in web breaches recently.

Interestingly, 80 percent of mail servers became compromised due to stolen credentials too, and 30 percent were due to an exploit – a 27 percent jump from last year in 2021 when it was only 3 percent. Among those exploits, the most popular seem to target SQL injection vulnerabilities. Other reasons mail servers became breached are:

•Improperly constrained or misconfigured access control lists (ACLs)

•Authentication bypass

•Privilege escalation

•Brute forcing passwords

The need to guard identities

In conclusion, stolen credentials are the main threat and concern for an organization’s or startup’s infrastructure – primarily web servers and mail servers – that attackers frequently leverage for financial gain and espionage: stolen credentials were responsible for 80 percent of web and mail servers, a 30 percent increase since 2017.

Brute force remained near the top of the list, as well. That indicates that password management and 2FA are critical for organizations and startups to mitigate these threats, reducing web breaches to a great extent. Securing web and mail servers from exploitable vulnerabilities that attackers can leverage is just as important when the rise of web breaches increasingly makes organizations and startups more vulnerable.

For more details on how to secure your organization or startup from web attacks go to https://zigrin.com/services

About the essayist: Dawid Czarnecki CEO of Zigrin Security.  As has served as a senior penetration tester at NATO Cyber Security Centre and holds numerous cybersecurity certifications, including OSCP, GIAC Certified Incident Handler, and GIAC Certified Web Application Defender (GWEB.) ?He is also a member of the GIAC Advisory Board. 

APIs have come to embody the yin and yang of our digital lives.

Related: Biden moves to protect water facilities

Without application programming interface, all the cool digital services we take for granted would not be possible.

But it’s also true that the way software developers and companies have deployed APIs has contributed greatly to the exponential expansion of the cyber-attack surface. APIs have emerged as a go-to tool used by threat actors in all phases of sophisticated, multi-stage network attacks.

Upon gaining a toehold on a targeted device or server, attackers now quickly turn their attention to locating and manipulating available APIs to hook deeply into company systems. APIs provide paths to move laterally, to implant malware and to steal data.

Guest expert: Sudeep Padiyar, founding member, Traceable.ai

The encouraging news is that API security technology has advanced quite a bit over the past five years or so.

I had the chance at Black Hat 2022 to visit with Sudeep Padiyar, founding member and director of product management, at Traceable, a San Francisco-based supplier of advanced API security systems. Traceable launched in 2018, the brainchild of tech entrepreneurs Jyoti Bansal and Sanjay Nagaraj; it provides deep-dive API management capabilities — as software is being developed and while it is being used in the field.

We discussed the Gordian-knot challenge security teams face getting a grip on the avalanche of APIs hooking into their organizations. For a full drill down, please give the accompanying podcast a listen.

The security-proofing of APIs is gaining traction, and that’s a very good thing. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

More than half of the world—58.4 percent or 4.62 billion people—use social media.

Related: Deploying human sensors to stop phishing.

And while that’s incredible for staying connected with friends, organizing rallies, and sharing important messages, it’s also the reason we are facing a cyber security crisis.

A record 847,376 complaints of cyber-crime were reported to the FBI by the public, according to the FBI’s Internet Crime Report 2021—a 7 percent increase from 2020. This is now catching the attention of elected leaders like Senator Mark Warner and Senator Marco Rubio.

They recently called on the Federal Trade Commission (FTC) to investigate TikTok and parent company Byte Dance over its data handling. But why is social media such a catalyst for nefarious behavior?

As the founder of the leading cyber security firm OccamSec, I’ve seen first-hand how and why social media is such a weak point, even for the most careful people and companies. Here are the three main reasons.

Social Engineering

Social media lends itself to social engineering. What is that exactly? Well, old-school social engineering is when a criminal phones someone up pretending to be a CEO of your company, for example, claiming they’ve lost a document you need to send. You send it, and that person has a lot of private information about the company. Social engineering has gone from face to face or phone to phone to social media and the internet.

Stamford

Social media provides an effortless mechanism for manipulation. You create a profile on a platform, start friending people, and then you can gain more access to those people’s connections because you begin to look more legitimate. So, when someone reaches out to you, and you have mutual contacts, it’s easier to ask for personal or company information. It magnifies their trust and simultaneously removes the gut instinct.

If you met someone in a bar who said, “Hey, I work in the same company as you, give me access to your computer,” you would say, “No.” Your gut instinct would be this guy’s just creepy.

In social media, that’s taken away. If I connect to you, you link to me; then we have more mutual connections. From an attacker’s perspective, it lends itself massively to harvesting data, making manipulating people easier because it takes away the face-to-face element.

Attack Surface

There’s this concept of attack surface in hacking. So, if you think of your house, you’ve got the doors, windows, and maybe a skylight. If I’m a robber, that’s your attack surface. I increase the attack surface by adding more windows, a garage, and a yard.

What social media does, if you’re a company, is it blows your attack surface wide open. Now every single employee is online posting and is reachable. So, for example, if I want to breach Sony, I’ll go on LinkedIn, search for Sony, and get everyone who works there. Then I can look at TikTok, Instagram, and Facebook, find out my interests and friends, and be able to connect and get information eventually.

Convenience is Key

Convenience trumps security. A CEO needs to get a document sent to him on vacation and doesn’t have his laptop. So, it just gets sent to his phone. There’s an immediate breach of security due to convenience. Plus, it’s been proven you get a dopamine response from social media, leading to the cyber security risk. So many people are on social media that it’s easy for criminals to blast through that surface area.

Ultimately, companies and people need to consider how much they’re exposing. But, sadly, cyber security is difficult to maintain unless you stay off all social media. However, if we adopt some European privacy laws, we might be able to have more protection. Understanding the risks posed by social media, from social engineering to an increased attack surface, is the first step for organizations to take control of their cybersecurity to keep their employees, and business, safe.

About the essayist: Mark Stamford is the founder and CEO of OccamSec. He began dabbling with computers at age 8 and has over 20 years of experience in technology operations, including cybersecurity. He previously worked at UBS and KPMG.

Short-handed cybersecurity teams face a daunting challenge.

Related: ‘ASM’ is cybersecurity’s new centerpiece

In an intensely complex, highly dynamic operating environment, they must proactively mitigate myriad vulnerabilities and at the same time curtail the harm wrought by a relentless adversary: criminal hacking collectives.

In short, attack surface management has become the main tent pole of cybersecurity. A rock-solid, comprehensive battle plan has been painstakingly laid out, in the form of the NIST Cybersecurity Framework. And now advanced weaponry is arriving that leverages data analytics to tighten up systems and smother attacks.

Guest expert: Justin Fier, VP Tactical Risk and Response, Darktrace

One supplier in the thick of this development is Cambridge, UK-based Darktrace, a supplier of security systems designed to help companies“think like an attacker,’ says Justin Fier, Darktrace vice-president of tactical risk and response, whom I had the chance to visit with at Black Hat 2022.

We discussed how legacy, on-premises cybersecurity systems generate massive amounts of telemetry – data which is perfectly suited for high-scale, automated data analytics. This is why it makes so much sense for artificial intelligence, generally, to be brought to bear in attack surface management.

Darktrace’s AI solutions, for instance, can help companies rein in API exposures,  defuse shadow IT,  protect their supply chain and even boost DevSecOps, Fier told me. For a full drill down on our conversation, please give the accompanying podcast a listen.

What’s going to happen as more of these advanced, AI-infused cybersecurity weapons get into the mix on the side of the good guys? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors w

The sunsetting of Virtual Private Networks is underway.

Related: VPNs as a DIY tool for consumers, small businesses

VPNs are on a fast track to becoming obsolete, at least when it comes to defending enterprise networks. VPNs are being replaced by zero trust network access, or ZTNA.

VPNs encrypt data streams and protect endpoints from unauthorized access, essentially by requiring all network communications to flow over a secured pipe. VPNs verify once and that’s it. This was an effective approach when on-premises data centers predominated.

By contrast, ZTNA never trusts and always verifies. A user gets continually vetted, per device and per software application — and behaviors get continually analyzed to sniff out suspicious patterns.

Guest expert: Rajiv Pimplaskar, CEO, Dispersive

This new approach is required — now that software-defined resources scattered across hybrid and public clouds have come to rule the day.

I had the chance at Black Hat 2022 to visit with Rajiv Pimplaskar, CEO at Dispersive,  an Alpharetta, GA-based supplier of advanced cloud obfuscation technology. We discussed how ZTNA has emerged as a key component of new network security frameworks, such as secure access service edge (SASE) and security service edge (SSE)

We also spoke about how Dispersive is leveraging spread spectrum technology, which has its roots in World War II submarine warfare, to more effectively secure modern business networks. For a full drill down on our forward-looking discussion, please give the accompanying podcast a listen.

Can the deployment of WWII battlefield technology turn the tide against hordes of threat actors? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Network security is in dire straits. Security teams must defend an expanding attack surface, skilled IT professionals are scarce and threat actors are having a field day.

Related: The role of attack surface management

That said, Managed Security Services Providers – MSSPs —  are in a position to gallop to the rescue.

MSSPs arrived on the scene 15 years ago to supply device security as a contracted service: antivirus, firewalls, email security and the like.

They’ve progressed to supplying EDR, SIEM, threat intelligence and other advanced services on an outsourced basis.

Guest expert: Chris Prewitt, CTO, Inversion6

Today, big IT services companies, as well as legacy cybersecurity vendors, are hustling to essentially give shape to the next-gen MSSP, if you will. The leading players are partnering and innovating to come up with the optimum portfolio of services.

I had the chance to visit at Black Hat 2022 with Christopher Prewitt, CTO at Inversion6, a Cleveland-based supplier managed IT security services. We discussed how far MSSPs have come since the early 2000s, when the focus was on helping companies do check-the-box compliance. For a full drill down on our forward-looking discussion, please give the accompanying podcast a listen.

Going forward, MSSPs seemed destined to play a foundational role in enabling digital commerce. They could help enterprises and SMBs overcome the IT skills shortage, truly mitigate cyber risks and comply with audit requirements, to boot.

Can the MSSPs pull off the heroics? I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on Facebook

Migrating to and utilizing cloud environments – public, hybrid, or multi – is a source of real investment and positive change for businesses. Cloud is the powerhouse that drives digital organizations.

Related: Cloud security frameworks take hold

Gartner predicts that spending on public cloud alone is set to top $500 billion in 2022 – a 20% growth over last year. But often overlooked in the migration process is the significance of a company’s embedded security measures.

For cloud migration programs to succeed in both the short and long-term, organizations must have an established cloud security policy to guide operations in the cloud, identify and mitigate vulnerabilities, and defend against cyberattacks – before a single byte is migrated.

But where should you begin? Following these steps will help you lay the foundation for a secure and sustainable cloud strategy.

•Design with security first. Although moving to the cloud should follow a standardized approach, the order of operations is often prioritized in favor of rapid results, not security. When security becomes an afterthought, best practices are overlooked, mistakes are made, and vulnerabilities are introduced that can result in significant risk, cost and breaks later.

By considering security first (not a detail to be added on later) and fully grasping cloud technology and risk exposure, your organization can ensure that the cloud architecture is secure before any data is migrated off-premises. It may slow the start but designing with security-first in mind can save you a lot of trouble down the road. For example, companies must plan to secure the perimeter with access protocols and controls – something that is very hard to do once systems are in use.

•Avoid using the same security measures as you do on-premises. Security controls will be a major aspect of your cloud security policy. While it’s essential to consider the security measures you use on-premises – don’t simply replicate them in the cloud. Instead, assess the security controls of your cloud vendor, specifically their identity and access management offerings – both of which increase security and convenience, if done right.

•Adopt a layered approach. A multi-layered defense is an essential component of any winning cloud cybersecurity posture. From the simplest protections like anti-virus, multi-factor authentication, patch management software, and employee security awareness training to the most advanced features like SIEM and conditional access, adding layers provides a vital safety net should something fall through the cracks.

As the business grows and new threats emerge, you can evolve and layer in additional controls as needed. The trick is not to go tool-crazy. Visibility into your cloud security posture is critical, but if it takes an army to sift through dashboards and alerts, things can quickly become unmanageable. Layer, but ensure good integrations of security information across your controls for full-stack observability.

•Know where your data resides – and what’s most critical. Knowing where your cloud data is stored (especially your most sensitive data) can help inform your security policies and meet compliance obligations, such as keeping data within domestic borders. As you craft your cloud security policy, ask your provider where your data is located geographically and if it is likely to be moved around different data centers to increase latency, meet SLAs, or mitigate data loss.

Schoener

What controls are in place to protect data as it moves? Also, prioritize what kinds of data is most important. By identifying the “crown jewels” in your data, you’ll be able to make better decisions on tools, time and talent regarding your security program. After all, if you don’t know what or where your most sensitive is stored, you can’t protect it.

•Revisit your policy often. At a minimum, plan to review your cloud security policy annually. However, if you plan several digital transformation projects or operate in an agile environment where applications are developed or updated rapidly, such as two-week sprints, consider tying your policy review to your rate of change. This will also likely be a compliance related need as regulations – such as the new proposed SEC rules – take shape.

•Make it sustainable. A cloud security policy can help keep cloud data protected and improve your ability to respond to threats quickly. But these measures must also be sustainable. You can’t reap the benefits of the cloud if you don’t make security a priority from the start. And for that you must cultivate a security-first mindset to migrations and future digital transformation.

About the essayist: Steve Schoener is Chief Technology Officer,  at ECI. Prior to ECI, he was head of IT for DW Investment Management in New York; he also previously was at UBS Investment Bank as an associate director. Schoener holds a computer science degree from State University of New York at Albany.

The top ransomware gangs have become so relentless that it’s not unusual for two or more of them to attack the same company within a few days – or even a few hours.

Related: How ‘IABs’ foster ransomware

And if an enterprise is under an active ransomware attack, or a series of attacks, that’s a pretty good indication several other gangs of hacking specialists came through earlier and paved the way.

In short, overlapping cyber attacks have become the norm. This grim outlook is shared in a new white paper from Sophos. The report paints a picture of ransomware gangs arriving on the scene typically after crypto miners, botnet builders, malware embedders and initial access brokers may have already profited from earlier intrusions.

I had the chance to discuss these findings last week at Black Hat USA 2022, with John Shier, senior security advisor at Sophos, a next-generation cybersecurity leader with a broad portfolio of managed services, software and hardware offerings. For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

Common infection paths

Security teams face a daunting challenge. They must detect and remediate multiple cyber attacks by numerous, determined hacking groups, sometimes coming at them simultaneously and quite often seeking different objectives.

Major vulnerabilities left unpatched, as well as weakly configured system administration tools are sure to get discovered and manipulated, not just once, but many times over. Companies today must stay on alert for a variety of leading-edge malware and be prepared to remediate double or even triple infections.

“The attackers are really competing for a quasi-non-exhaustible resource,” says Shier. “It’s not like if you’re trying to extract oil, and once the oil is out of the ground, it’s gone; a vulnerable system will continue to be vulnerable — until it’s patched.”

Sophos’ report shares findings from four separate ransomware attacks which took place within days or weeks of each other, and, in one case, simultaneously. Most of the initial infections took advantage of an unpatched vulnerability, notably Log4Shell, ProxyLogon, and ProxyShell, or involved the manipulation of a weakly configured Remote Desktop Protocol (RDP) server.

Remediation obstacles

In an increasingly crowded threat environment, with active hacking groups bumping into each other, unpatched vulnerabilities and misconfigured servers get quickly discovered — and exploited to the hilt. In this maddeningly complex operating environment, the attackers are going to great lengths to hide their tracks, making comprehensive remediation a huge challenge.

Often companies fail to identify the vulnerability or misconfiguration exploited by the attackers, leaving the door open for other hackers to discover and exploit, Shier says.

In one of Sophos’ case studies, three prominent ransomware gangs — Hive, LockBit and BlackCat — attacked the same network, one after the other. The first two attacks took place within two hours, and the third attack took place two weeks later. Each of the three ransomware gangs encrypted whatever systems they could get their hands on; and each left its own ransom demand. Thus, some of the victim company’s assets got triple encrypted.

“All three of these actors abused a firewall misconfiguration that was exposing a RDP server,” Shier told me. “LockBit went in first and exfiltrated data and passwords, and then used PsExe to distribute their ransomware payload. So they used a hacking tool with a bit of living-off- the-land technique. The second group, Hive, used that same RDP access to get into the environment and move laterally within the organization and that occurred just two hours after the LockBit attackers had been in that particular network.”

More tightening required

Even for companies with disaster recovery and incidence response plans in place, withstanding multiple cyber attacks can be challenging. This is because one hacking group’s obfuscation tactics can hide the tracks of other attackers who’ve been there before them. Thorough remediation can be time consuming and expensive and business continuity can still be materially disrupted.

The financial and reputational damage can be devastating, and the psychological impact overwhelming. “The question isn’t if you’ll get attacked again, it’s how many more times,” Shier observes.

Fresh intelligence like this from the ground floor of the cyber underworld  can and should serve as yet another wake up call. At this point, there’s little mystery about what companies need to do. Remediate breaches more comprehensively. Get much better at quickly patching critical vulnerabilities. Configure system administrative tools more wisely.

Observes Shier: “There a lot of things we learned at the birth of the Internet that still apply today; security principles like least privileges and segregation of high value targets are vital. We’re starting to come back to those principles once more, under the guise of codifying things like Zero Trust Network Access, a framework that allows you to deploy and not necessarily trust anything until it has proven itself trustworthy through identity mechanisms baked into the protocol.”

Shier is spot on. Things are moving in a positive direction, albeit incrementally. For instance, he pointed out that after a spike in new RDP activation — in response to the rise in remote work scenarios triggered by Covid 19 — companies soon commenced implementing tighter controls via embracing frameworks like ZTNA.

There remains plenty of room for significantly more tightening, of course. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Technology provides opportunities to positively impact the world and improve lives.

Related: Why facial recognition ought to be regulated

It also delivers new ways to commit crimes and fraud. The U.S. Federal Bureau of Investigation (FBI) issued a public warning in June 2022 about a new kind of fraud involving remote work and deepfakes.

The making of Deepfakes

The world is on track to see around 50% of workers transition to sustained, full-time telecommuting. Conducting job interviews online is here to stay, and deepfakes may be part of that new normal.

The term refers to an image or video in which the subject’s likeness or voice was manipulated to make it look like they said or did something they didn’t.

The deepfake creator uses “synthetic media” applications powered by machine learning algorithms. The creator trains this algorithm on two sets of videos and images. One shows the target’s likeness as they move and speak in various environments. The second shows faces in different situations and lighting conditions. The application encodes these human responses as “low-dimensional representations” to be decoded into images and videos.

The result is a video of one individual convincingly overlaid with the face of another. The voice is more difficult to spoof. However, faked images continuously look more convincing as algorithms learn and get better at mimicking general human mannerisms and the specific characteristics of the target.

Some bad actors also use this technology to create synthetic audio. One high-profile story saw criminals use a deepfake to impersonate a high-level executive over the phone and successfully authorize large fund transfers. The losses totaled $243,000, and the fraud tricked individuals in the company who knew the real person.

Amos

Even deepfake examples designed to educate the public — like a doctored video of Nixon’s resignation speech — fool observers without meaning to.

The FBI’s warning

The FBI announced that its Internet Crime Complaint Center (IC3) had observed an uptick in employment-related fraud involving stolen personally identifiable information (PII) and deepfakes. These fraudsters frequently use ill-gotten PII to create synthetic images and videos to apply for work-at-home positions. Some of the roles include:

•Information technology (IT)

•Database design and maintenance

•Computer programming and app design

•Finance- and employment-related technology

Some of these roles involve handling intellectual property as well as employee, patient or client PII. The stakes are not as simple as lying one’s way into a new job. The larger goal is to use the stolen and synthesized likenesses to secure a position with proximity to valuable company data or personal information.

Protecting organizations

Deepfakes are convincing, but there are signs to look for. Machine learning isn’t flawless and sometimes results in an image with telltale artifacts such as:

•The subject blinks too frequently or not enough.

•The eyebrows or hair, or portions of them, don’t match the subject’s face or movements.

•The skin appears overly wrinkled or too flawlessly smooth.

•The voice’s pitch does not match other characteristics of the speaker.

•Reflections in the eyes or glasses don’t match the speaker’s surroundings.

•Other aspects of the speaker’s movement or appearance don’t match the video’s expected physics or lighting aspects.

Overlaying one individual’s likeness over someone else’s is seldom a seamless process. Spoofing a voice is likewise imperfect.

Even so, the losses accruing due to deepfake abuse are already staggering. A single example resulting from “deep voice” fakery resulted in a loss of $35 million in fraudulent bank transfers.

Best defense: awareness

The Nixon example was an attempt to educate the public through exposure. Jordan Peele’s deepfake of President Obama also sought to spread awareness. Elon Musk compared the use of deepfakes to “summoning the demon” to describe how dangerous they can be.

Beyond cultivating awareness, experts recommend companies and individuals take practical actions:

•Come up with a secret question or code word to exchange at the beginning of all online or phone conversations.

•Partner with a biometrics-focused security company and ensure their authentication technologies are up to the challenge.

•Educate employees and partners about deepfakes using the same techniques as general cybersecurity awareness.

Using technology to fight technology can take people only so far. The best defense for any new attack vector is vigilance, awareness and not being afraid to ask for confirmation when someone receives a request that raises suspicions.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.