The influence of advanced technologies such as AI and deepfakes is transforming the cybersecurity landscape, posing new challenges for organizations to manage cyber risk.
In a recent interview with Infosecurity Magazine during the ISC2 Security Congress, ISC2 CISO, Jon France, shared his insights on these hot topics and offered valuable advice for security leaders.
Infosecurity Magazine: How are we seeing deepfakes being leveraged by malicious actors?
Jon France: It’s relatively easy to craft text, but it’s very much more difficult to do voice. However, the deepfake trainable models are becoming very good and leading to worrying stories around spearphishing and business email compromise (BEC) incidents.
Deepfakes are much better quality and are starting to be used by attackers to target victims through vishing. The other thing that usually goes along with these kinds of use cases is putting the person under stress, so they have to make a quick decision. Attackers are getting good at engineering a position where they can apply a stresser and then use a deepfake to convince the victim to do something reasonable.
These attackers are also much more targeted, they tend to have done their open-source intelligence gathering on the individual themselves and work out how they can manipulate them.
It used to be that those scenarios – the specific vector used and the intelligence – were expensive. It’s now much cheaper with attackers using off-the-shelf tools, and it’s proving effective.
IM: How can we tackle deepfake threats?
JF: The antidote to deepfakes is procedural controls. If you’re doing high-value transactions, you need to get secondary authority – for example, if a transaction has been requested by the CEO, the CFO also has to sign it off.
There are some low-tech ways of making these attacks less likely to succeed. Part of that is cultural, part is awareness and part is in-control design.
“The antidote to deepfakes is procedural controls.”
These are all things that are well known in the security industry. The barrier to them being implemented is friction – if you introduce friction into someone’s role then they tend not to like it. However, some of these controls are now relatively simple and low friction.
For example, getting a second signature used to involve physically going to a second person; now you can use electronic means to do that.
IM: What are the trends you are seeing around ransomware?
I think one of the significant changes with ransomware is that companies generally now are very good at restoring data. Denial of access to your data or operations used to be the main leverage used by ransomware attackers. The recovery stance has made that go away to a great degree.
When we look at the CIA [Confidentiality, Integrity and Availability] triad, availability is what they go after first. Then they go after confidentiality, where they exfiltrate your data and threaten to either sell it or publicly expose it. We’re seeing that as the most prominent lever against organizations.
I think we’ll also see integrity attacks, which is where they change some of your data and then ransom you.
IM: What are the biggest challenges security leaders are facing currently?
JF: The growth of the general threat landscape at a macro level, which is caused by more reliance globally on digital systems. The complexity of systems is going up too, so the breadth and depth of threats is growing which is putting pressure on security leaders.
The sophistication of attackers is also going up, which requires sophistication in defenders – it’s an arms race.
Then its risk management, which is how we quantify and treat those threats – what do I treat first and to what level. For security leaders, the answer is getting closer to what the business does, which requires understanding the language of business and what is important to the stakeholders in your organization.
You can see with the new SEC rules that we are starting to require literacy at the boardroom around these threat vectors. You’re starting to see the baseline of regulation. In the EU alone, there is NIS2, the Digital Operational Resiliency Act (DORA), the Cyber Resilience Act (CRA), the Cybersecurity Act (CSA), the upcoming AI Act – all security related.
The regulatory landscape is requiring more effort in the world of cybersecurity, and this will drive the need for more literacy at all levels.
Talking the language of risk is probably where you’ll see technologists moving into boardroom politics and machinations. Boards talk about risk so if you can talk about risks, you’re talking a common language.
IM: What advice do you have for security professionals to learn this language?
I tell my team a lot that if they really want to progress to senior levels and become a CISO, learn about business.
I was fortunate in my career in two respects. One is I was curious and like learning. Secondly, I was given exposure to business through running non-technical functions and asked for and received good mentoring.
My grounding is in technology and security, but I had that curiosity to learn from others – such as spending time with other teams.