The rapid evolution of the digital space has prompted cybersecurity to become a social necessity in recent years. As businesses journey into 2022, this rapid evolution demands a level of preparedness for cybersecurity challenges that aims to protect both their brands and clients. As such, this article discusses three critical challenges facing the digital space, identifies potential vulnerabilities, and provides recommendations for businesses to help address these threats effectively.
Internet of Things
The concept of the Internet of Things (“IoT”) perfectly describes how our lives are constantly interconnected with technology in an ever-increasing way. In 2018, industry experts estimated that each consumer in the U.S. had approximately eight networked devices, with predictions of more than 13 devices per person by 2022. This increase of interconnected devices has inevitably led to an increased risk of cyberattacks, compromising data privacy. In the first six months of 2021 alone, more than 1.5 billion attacks occurred against IoT devices, at an average of 5,200 attacks per month. Consequently, as the Internet of Things continues to expand its role in our day-to-day lives, so will the challenges.
The threat from IoT is not so much that an individual device will be compromised, but that IoT will allow an avenue for attack of a network. For instance, in March of 2021, Verkada, a security company specializing in physical access control and video surveillance suffered a network wide hack. The hackers gained access to 1500,000 live feeds and exposed footage from cameras inside hospitals, companies, police departments, prisons, and schools, throughout the country. Companies heavily affected by the hack included carmaker Tesla Inc., luxury gym chain Equinox, and software provider Cloudflare Inc. Hackers accomplished the attack by exploiting a misconfigured customer support server exposed to the internet. Once the hackers accessed that server, they found customer support administrator credentials and used those to log into a customer support web interface, where they accessed customer devices using internal support functionality that emulated user sessions. Due to the company’s centralized video streaming services, the hackers were able to access thousands of video feeds at once.
The fact that most new IoT devices are still in their infancy means there is a much larger attack surface for cybercriminals to target the vulnerabilities associated with them. In the Verkada attack for instance, the functionality of the cameras relied on a feature that was in the beta stage of design but was made available to its customers. Thus, by having root access to all of the connected cameras meant that hackers could potentially execute malicious code and move laterally into customer networks.
Privacy and cybersecurity concerns related to the Internet of Things, often stem from (1) limited user interfaces in the products, (2) lack of industry experience with privacy and cybersecurity, (3) lack of incentives in the industries to deploy updates after products are purchased, and (4) limitations of the devices themselves, such as lack of effective hardware security measures. Accordingly, to prevent infiltration and limit impact, businesses should work on addressing these core concerns within their organizations in the coming year.
The threat of ransomware has increased in the last two years and continues to disrupt every sector from financial services to higher education. With ransomware attacks being able to threaten data destruction if a ransom is not paid, these attacks are becoming the primary method for cybercriminals and are expected to increase throughout 2022.
Generally defined, ransomware is a type of malware with which the malicious actor either (1) locks a user’s operating system, restricting the user’s access to their data and device, or (2) encrypts the data so that the user is prevented from accessing their files. A ransomware variant is typically introduced to the device via a malicious link clicked by the victim. Once a device or system is infected, ransomware identifies and encrypts its victim’s files. As the name implies, the victim is then told to pay a ransom to regain access.
Proving itself to be a lucrative opportunity for threat actors, the global financial damage caused by ransomware in 2021 was estimated to be more than $6 trillion—which was 57x more than it was in 2015. The average ransom payments made by victims (governments, businesses, and individuals) also increased by 63% in 2021 to $1.79 million compared to $1.10 million in 2020. To demonstrate further, in May 2021, computer manufacturer Acer suffered a ransomware attack and the hackers demanded a $50 million ransom—the largest known to date.
It is likely that ransomware attacks have been successful because of weaker defenses due to inadequate IT budgets or, in some industries, outdated equipment that is difficult to update or patch, providing easy entry points for attackers. Though each ransomware incident should be evaluated on a case-by-case basis to ensure increased protection against ransomware in the coming year, organizations should consider implementing the following two precautions:
- Deploy layered security protection. Layered security is the process of protecting digital assets on several layers, each providing additional defenses. Using layered protection will help prevent attackers from reaching as many points within your network as possible.
- Combine human experts and anti-ransomware technology. Although advanced and automated technologies are essential elements of an effective anti-ransomware system defense, human monitoring and intervention are necessary to combat hands-on attacks. Scale and automation can come from technology, but human experts can detect the telltale tactics, techniques, and procedures that indicate a skilled attacker is trying to infiltrate an environment.
Cryptocurrency theft (“crypto theft”), is a novel cybercrime that looks prevalent in 2022. Already making headlines, one of the most popular cross-blockchain bridges, Wormhole, suffered a loss of $326 million in cryptocurrency after hackers exploited a vulnerability in Wormhole’s platform. As the popularity of cryptocurrency increases, this digital asset will present new challenges.
In 2021, crypto theft reached a new all-time high, with illicit addresses receiving $14 billion, up from $7.8 billion in 2020. A large portion of this theft resulted from decentralized finance (“DeFi”), an emerging financial technology based on secure distributed ledgers similar to those used by cryptocurrencies. The DeFi system aims to remove the control banks and other financial institutions have on money, financial products, and financial services by creating a decentralized financial system that is not controlled by a single entity. By working on a decentralized platform, DeFi systems have made it possible for developers at all stages—from amateurs to experts to launch projects on DeFi platforms. Thus, a small coding error on the developer’s end, for example, can turn into a security vulnerability that hackers can exploit. A stark example is the Wormhole hack mentioned earlier. In that case, Wormhole used its decentralized finance protocol known as MonoX which allows users to trade cryptocurrency without some of the requirements of traditional exchanges. As a result of an error within the company’s software, an attacker was able to inflate the price of the MONO token and use it to withdraw all the other deposited tokens, resulting in a million-dollar loss.
Due to cyberspace’s anonymity, discovering and investigating a criminal’s identity is a challenging endeavor. Despite these challenges, the economic impact of cybercrimes has prompted law enforcement to work aggressively in tracking and seizing cryptocurrency often used by criminal hackers. Most recently, a couple in New York was arrested by the Justice Department for conspiring to launder stolen Bitcoins from the 2016 hack of a cryptocurrency exchange in which $4.5 billion disappeared. This arrest offered victims of cybercrimes a glimmer of hope that once seemed impossible to achieve.
Reprinted with permission from the February 14, 2022 issue of The Legal Intelligencer. ©2022 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.