Back in 2011, the World Health Organization conducted research on safety and security on the Internet, listing such general threats to security as spam, viruses and malware, and phishing scams. Now, at the turn of the decade, it feels right to look over the past ten years and assess whether the same threats are still looming over us and what challenges to online security we will face in the 2020s.
The Internet has indeed grown to be more dangerous over the past ten years, simply as a consequence of its expansion: we feel more at ease spending money online – and on intangible online goods. Besides, the number of websites and connected devices has grown exponentially, forming the Internet of Things.
However, the main threats remain quite the same, but as the stakes are growing, attacks become ever more sophisticated.
Phishing attacks have been among the top threats in recent years and they are expected to stay in the foreground over the coming decade.
Ten years ago, phishing was rather straightforward: you could receive an email with a link that you were supposed to click, or you could be asked your bank account details by an unknown philanthropist – something that is now virtually unheard of. These days we are reasonably well protected by email services and browsers that filter out most spam and suspicious messages.
In response, scammers rely on social engineering to play on our feelings so that we willingly reveal confidential or personal information, or simply transfer our money to a certain account. For instance, scammers can pretend to be charity organisations and take advantage of current events, such as natural disasters or health scares (e.g., the coronavirus-related panic) to work on us through our fear and compassion.
At the same time, phishing scams are growing in scope and variety: in the future we can expect them to combine traditional schemes with voice phishing via calls (vishing), SMS (smishing), or to be disguised as trusted services. Advanced vishing attacks can use Voice over Internet Protocol (VoIP) and broadcasting services to spoof the caller’s identity.
Scammers take advantage of people’s trust in the security of phone services, especially landline services, and address potential victims simultaneously via email, voice, text message, and web browser functionality to gain more credibility. For instance, a targeted person might receive calls and emails from a hotel employee who would complain that they couldn’t process a credit card payment and ask for additional details, or from a bank asking to provide certain information to unblock a suspended account.
Viruses and malware
Similar to phishing scams, viruses have also become more technically advanced. The fast development of machine learning and artificial intelligence has revolutionised protection systems – 86 per cent of enterprise-grade systems are currently AI-driven. Such giants as Avast, and smaller companies Cylance and Deep Instinct, leverage mathematical algorithms and big data to understand the baseline of security for a given system and learn how to react to anomalies.
Unfortunately, it has also opened new opportunities for malware and viruses. We can expect them to use AI techniques to have self-modifying code and to get around firewalls and detection systems. Besides, deep understanding of the principles of AI help malware developers trick AI-enabled antiviruses: in one instance, researchers from the Australian company Skylight Cyber simply took some lines from a non-malicious file and appended them to a malicious one, tricking the well-known Cylance PROTECT system into thinking the malicious file was benign.
In contrast to the early 2010s, we live in a world equipped with connected devices at all levels: from individual smartphones and home thermostats to industrial systems and smart cities.
Yet, most such devices are not adequately protected, and the most vulnerable parts are cameras and microphones – the most common components of consumer devices that are growing in popularity thanks to voice assistants.
Once an attacker has access to a device camera or a microphone, they can obtain all information about the owner. Similarly, a single hacked thermostat can open the way for attacks on the NAS system and further, on devices that can even be isolated from the external Internet, such as phones.
In broad terms, we can speak of two types of breaches of the IoT security:
- a connected device can be hacked to be used for DDoS attacks, such as the Mirai malware that attacked Dyn in 2016; or
- a connected device can be used to steal your data for identity simulation. For example, your laptop camera can capture your face and use it to get access into your smartphone and consequently to all personal data.
To protect connected systems, especially consumer ones, companies are trying to develop AI-driven solutions, such as D ̈IOT that would detect anomalies and reveal attacks based on the abnormal behaviour of specific devices. However, such solutions are still limited to smaller-scale connected systems and rather primitive attacks. With the growing threat of identity theft and expansion of the IoT, more sophisticated protection systems that would be able to track activities on each type of connected device are bound to pop up in the next decade.
In the past, cybercrime was as an individual job for those with functional knowledge of businesses, or even for technically-savvy teenagers known colloquially as “script kiddies.” In those days it was easier to become a hacker: there were ready-made applications to intercept traffic, or you could buy a simple WiFi adapter to play a practical joke.
Today, with the introduction of HTTPS, the skills required and the cost of attacks have grown, transforming the hackers’ subculture into commercially-oriented anonymous attackers, often backed by organised crime. The most famous attack, which was proved to have been organised, was the Russian hackers’ intervention into the 2016 US Presidential Elections. In the future, we can expect cybercrime to adopt the Crime-as-a-Service business model: with such “customer” systems, “users” can log into the server, choose from the tools offered for fraud, phishing, and data stealing and download them. Crimeware servers, at the same time, would allow users to control compromised computers and manage the stolen data.
A growing mistrust in the Internet and awareness of cybercrime have made us more security-savvy: the information we get from mass media about phishing scams and social engineering helps us fight off basic attacks.
However, people’s knowledge of cybersecurity remains basic: users do not always understand the idea of a secure connection and encryption, they have no clear picture of how traffic interception works and how – and to what extent – they can be spied on. We express concern about our privacy, but this field is so complicated that even with the GDPR in place we do not understand what we should allow and what needs to remain protected.
Speaking of GDPR, it’s far from being the privacy silver bullet. The companies that collect our data online do not always fully comply with the GDPR: some information might be deleted when requested, while certain data is anonymised but remains in the system. Over time, companies accumulate such personal data that can be traded or stolen by the company’s employees or contractors.
In principle, this makes us all potential victims of cybercrime and the situation will not change in the near future. Every smartphone can easily be hacked using spy apps, and attackers can get access to the devices in your home by hacking the WiFi password.
In reality, however, we are relatively safe because the cost of hacking our phones and laptops is — in most cases — higher than the potential profit. As reports suggest, 83.9 per cent of attacks target just five industries: financial, email, cloud, payment, and SaaS, or the services where the cost-to-profit ratio is the highest.
Of course, we should know some basic protection rules, such as having different passwords for devices and applications, running a VPN connection when on open or untrusted Wi-Fi networks, and changing default passwords on network devices. The evolution of the Internet away from being a controlled medium has produced great potential for communication, commerce and research, but this growth comes at a price – and the more awareness we develop about the implications, the less likely we are to fall victim to a hacking attack.
Vasiliy Ivanov, founder and CEO, KeepSolid