Anyone looking at the state of digital security, especially with regard to large corporations, could easily paint a war scenario. But there are also optimistic forecasts, at least in some aspects and, mainly, regarding the adoption of more complex and advanced systems. After the home office rush and the wave of attacks that accompanied it, businesses have become more concerned, yet the incident rate remains soaring. This is what a panel of trends and threats for 2022 by ESET, specialized in digital security, showed.
- More than a third of companies pay after being victims of ransomware
- Spy campaign by "digital mercenaries" has even claimed victims in Brazil
- Check Point opens platform for professional training in cybersecurity
According to a survey by its experts, 70.5% of companies are leaving the pandemic with a greater concern for their own protection. The zero trust protocol seems to be one of the main paths, especially given the convergence of devices, with 30% of Latin American companies claiming to have adopted systems of this type in the last two years, while, among those that still intend to implement such solutions, 72% they said this will be done in the short term. The data directly meets a fear that, although not widespread, is quite significant: 30% of executives interviewed by ESET believe that their corporations are not well prepared to deal with digital threats.
As has been said since the beginning of isolation due to covid-19, the accelerated digitization of critical processes, the rapid adoption of the hybrid cloud and the use of personal equipment for work outside the office are the main factors for this distrust. “Today, in general, companies are better prepared than in 2020, but there is still a lot to be done. The use of home devices [at work] is the worst possible scenario, leaving [the environment] highly exposed”, adds Daniel Cunha Barbosa, security researcher at ESET.
Feedly: Subscribe to our RSS feed and don't miss any Canaltech content in your favorite news aggregator.
In this sense, specialists point out that, as much as there is progress in the adoption of advanced defense tools, the human factor remains the main vulnerable aspect. And here, it's not just about employees falling for phishing scams or elaborate social engineering attempts, but also a reticent view, especially from more rigid organizations, of embracing digital processes. 57% of workers who adopted hybrid or home office regimes, for example, did not receive corporate tools and devices to use while at work, while common tools like two-step authentication or corporate VPNs, for example, are only used in a third of companies.
hard stop trio
We have in our hands an account that doesn't close, with three pillars that should talk to each other but end up becoming the Achilles' heel of digital security. First, and again, is the rapid adoption of cloud computing services, incredibly fast and often misconfigured, to support large-scale home office adoption. It's what Barbosa calls “pandemic mode”, a use of touch-and-cash systems that put everyone at risk.
Then comes the well-known and mentioned use of personal devices, which are not limited to cell phones and personal computers, but also home routers that may be misconfigured. Outside corporate networks and the reach of IT professionals, who cannot even interfere in such routines, the doors open to cybercrime and also to a mix between private and professional use that can lead to threats.
Finally, in the return to the hybrid regime, shared spaces and the idea that employees can work from anywhere comes up as an issue. In Barbosa's view, there is little concern about data security in the real world and the expert exemplifies this with the anecdote of when, in a cafe, he heard two professionals from a company exchanging credentials at the table beside him. They carried the corporate logo on their shirt, and for an attacker it would be like handing over access data from a tray.
“There is an adoption curve to telecommuting, which has made the human factor continue to be a cybersecurity issue. IT professionals cannot be blamed solely for such difficulties", adds Barbosa. Again, the educational issue comes to the fore, with 52% of corporations interviewed by ESET having trained their employees on security issues; a number that sounds small given the considerable increase in attack surface generated by the hybrid work.
The specialist also mentions other inherently human aspects of this issue, such as the greater relaxation generated by the home office routine and the greatest distractions at home, with family and pets, for example. This more casual aspect — after all, we all know that you've been working in your pajamas, from the sofa, for a few days — can be a risk factor, as it reduces focus and can lead to inattention-related safety slips.
Criminals are well aware of this and have placed phishing emails and messages at the top of intrusion vectors on corporate networks. According to ESET, the total number of fraudulent communications had already doubled in 2020, compared to 2019, and it increased again by equal power in 2021; in Brazil, instant messengers such as WhatsApp are as important an issue as e-mail and, again, bypass corporate security systems while mingling with personal photos and texts.
Faced with a public health calamity and a global vaccination effort, fake news has also become a distribution factor. According to the security company, the use of alarmist texts and slogans makes messages of this type 70% more likely to be shared, while the overall volume increased 50% in 2021. With false news, malware and pages also arrive malicious ones that can steal credentials and, again, can be accessed intentionally or unintentionally by collaborators.
On the other hand, there was also a significant increase in movement and, more than that, the transformation of cybercrime into an industry worth tens of millions of dollars, which should also reach 2022 with force, supported by the pillars of vulnerabilities cited by ESET experts . One of the main protagonists, says Carlos Marino, the company's sales engineer, should continue to be ransomware.
Attacks in this category register a 60% increase in Brazil and, more than that, their tools are sold to third parties by criminals as a way to maximize profits. The lack of updates and the use of outdated solutions also put our country in the crosshairs: according to data from the security company, 56% of the cases of digital kidnapping registered in the country were due to a breach in Excel 2003, as well as software from the 2008 Office suite The vulnerability, discovered in 2012, has had an update available for nearly a decade, but remains a danger to corporations here.
Less is more
The broadly financial focus is likely to follow as a trend from 2022 onwards. Barbosa points to a drop in the number of ransomware detections this year, but an increase in the use of pest variants, indicative of more targeted and more effective attacks. Forecasts for Brazil in this regard are not good, the expert points out, with an increase in the interest of international groups for corporations here and a greater focus that may even result in a lower total of coups, but also in a high destruction potential.
Among the tools being used by attackers to maximize the effectiveness of their operations are machine learning systems, which help identify open ports and gaps that allow entry, without the bad guys necessarily relying on phishing. Fraudulent emails should remain the main vectors, due to the ease of implementation, but in large and sophisticated attacks, ESET highlights the use of advanced tools that also involve deep fakes as a way to circumvent authentication.
In parallel, ESET experts also cite an increase in the deployment of pests that mine cryptocurrencies, mainly in attacks against end users and corporate servers. According to specialists, Brazil is already the third in Latin America in the number of detections in this category, with 10% of cases registered here and only behind Ecuador (14%) and Peru (40%). The expectation is that second place will change hands, to the detriment of our countrymen, very soon.
Also in this sense, analysts point to NFTs as a trend of threats, even though scams in this sense are not so common. However, it goes without saying that, given an industry with a sales volume of US$ 2.02 billion and growth of 2,000% between the end of 2020 and the first quarter of this year, criminals will want a sizable slice of that pie. .
In this sense, ESET presents the danger, but also shows blockchains as a possible way to increase the reliability, mainly, of transactions in the financial system or of device validation in networks. Processes in the healthcare and operations segments that deal with documentation can also take advantage of the use of technology, which is still in its infancy outside the crypto world, but seen as a trend.
Again indicating that the same tools used by cybercrime can also serve for protection and mitigation, experts also indicate that machine learning solutions can be strong allies in locating and mitigating failures, especially in the aforementioned zero day vulnerabilities. Such technologies, together with the aforementioned zero-trust systems and education initiatives, could serve to raise the level of digital security at a time that, if already critical, seems on the verge of becoming even more so.
Read the article on Canaltech .
Trending at Canaltech:
- Tried to migrate from Android to iPhone; here's what i learned
- World's most expensive fuel | The price of gasoline in other countries
- 7 scary animals that don't even look like the works of nature
- Crystal predicted 50 years ago is found in its place of origin for the 1st time
- Asian plague is seen for the first time in Brazil