Connect with us

Expert Speak

How Deepfakes Attack Business and How to Combat Them

Published

on

Recently, the FBI announced that more companies have been reporting people applying to jobs using deepfakes. Imposters use video, images, recordings, and stolen identities pretending to be someone else to get a remote IT position. This may sound like a joke, but hiring a deepfake can lead to serious problems when a fake employee gets access to sensitive corporate information and customer data. This may pose a threat to a company’s data security, and in an event of a breach, the company likely won’t have a chance to bring the fraudster to justice.

The case mentioned above is not the only way scammers use deepfakes to take advantage of a business. As technology evolves, adversaries can use this new method to cheat biometric tests used by banks and cryptocurrency exchanges to verify users’ identities for money laundering. According to the Sensity report, nine of the top 10 Know Your Customer (KYC) vendors were highly vulnerable to deepfake attacks.

Deepfakes are also used for spear or targeted phishing. Adversaries can mimic a company’s executives to gain a person’s trust and trick them into turning over sensitive data, money, or access to the organization’s infrastructure. In one case, criminals managed to get $35 million forging the voice of a company’s director.

“Understanding the danger is half the battle. Educate your employees and let them know about the new fraudulent methods. A high-quality deepfake requires a lot of expertise and effort, while fakes used for scams or synchronous interaction during an interview would probably be low-quality” – says Vladislav Tushkanov, lead data scientist at Kaspersky. “Among signs of a deepfake, there are unnatural lip movements, poorly rendered hair, mismatched face shapes, little to no blinking, skin color mismatches, errors in the rendering of clothes, or a hand passing over the face. However, an adversary may intentionally lower the video quality to hide these artifacts. To minimize the chance of hiring a fake employee, break job interviews into several stages involving not only HR managers but also people who will be working with a new employee. This will increase the chances of spotting anything unusual.”

Technologies are also good helpers in combating deepfakes. A reliable cybersecurity solution will ensure support if a high-quality deepfake convinces an employee to download malicious files or programs or to visit any suspicious links or phishing websites. The anti-fraud solution that provides user behavioral analysis and financial transaction monitoring may be a good option for companies using KYC, providing an additional layer of protection.

Cloud

Preparing a Secure Cloud Environment in the Digital New Norm

Published

on

Written by Daniel Jiang, General Manager of the Middle East and Africa, Alibaba Cloud Intelligence

As hybrid or remote working is being adopted by many companies globally and becoming the ‘new norm’ for millions of workers, cyberattacks meanwhile continue unabated. Building a secure and reliable IT environment has therefore become an increasingly important priority for many businesses who are exploring opportunities in the global digital economy. While moving to the cloud and using cloud-based security features is a good way to challenge cyber risks, it’s important to delve deeper into how best to construct a secure and reliable cloud environment that can fend off even the most determined attacker.

In today’s digital environment, discussions about cyber security’s best practices have never been more important. The UAE in particular established the Cybersecurity Council to develop a cybersecurity strategy and build a secure cyber infrastructure by creating related regulations. Following this move, the nation ranked 5th place on the International Telecommunications Union’s Global Cybersecurity Index 2020, jumping 33 places and it continues to prioritize cyber security and awareness. Creating a secure cloud environment – from building the architecture to adopting cutting-edge security technologies and putting in place important security management practices – will inspire more thorough conversations on this subject.

A resilient and robust security architecture is essential for creating a cloud environment capable of assuring an organisation about the availability, confidentiality and integrity of its systems and data. From the bottom up, the architecture should include security modules of different layers, so that companies can build trustworthy data security solutions on the cloud layer by layer – from the infrastructure security, data security, and application security to business security layers.

In addition to the security modules of all of the layers, there are a variety of automated data protection tools that enable companies to perform data encryption, visualisation, leakage prevention, operation log management and access control in a secure computing environment. Enterprises can also leverage cloud-based IT governance solutions for custom designs of cloud security systems to meet compliance requirements from network security and data security to operation auditing and configuration auditing. This ensures full-lifecycle data security on the cloud, with controllable and compliant data security solutions in place.

Another consideration is to build a multi-tenant environment, abiding by the principle of least privilege and adopting consistent management and control standards to protect user data from unauthorised access. In addition, establishing strict rules for data ownership and operations on data, such as data access, retention and deletion, is also pivotal in creating a safe environment.

Moreover, enterprises can embrace the zero-trust security architecture and build a zero-trust practice by design to protect the most sensitive systems. The architecture requires everything (including users, devices and nodes) requesting access to internal systems to be authenticated and authorised using identity access protocols. As such, the zero-trust security architecture cuts down on automatic trust, or trust without continuous verification, addressing modern challenges in securing remote working environments, hybrid cloud settings and increasingly aggressive cyber threats.

Cutting-edge security technologies such as comprehensive data encryption, confidential computing and many more emerging tech solutions, can be leveraged to ensure we stay on top of the trends in cybersecurity. Comprehensive data encryption provides advanced data encryption capabilities on transmission links (such as data-in-motion), compute nodes (such as data-in-use), and storage nodes (such as data-at-rest). Key Management Service and Data Encryption Service help users securely manage their keys and use a variety of encryption algorithms to perform encryption operations.

Another emerging technology to safeguard the cloud environment is confidential computing. Confidential computing is dedicated to securing data in use while it is being processed, protecting users’ most sensitive workloads. Confidential computing based on trusted execution environments (TEEs), ensures data security, integrity and confidentiality while simplifying the development and delivery of trusted or confidential applications at lower costs.

It is equally important to adopt proper security management practices and mechanisms to maximise the security protection of one’s critical system and important data. One essential mechanism to protect the cloud environment is to develop a comprehensive disaster recovery system, which enables businesses to configure emergency plans for data centres based on factors such as power, temperature and disasters, and establish redundant systems for basic services such as cloud computing, network and storage. It helps companies to deploy their business across regions and zones and build disaster recovery systems that support multiple recovery models.

Setting the effective reviewing and response mechanism for your cloud security issues is imperative. First, having vulnerability scanning and testing in place is important to assess the security status of systems; second, it is vital to use cloud-native monitoring tools to detect any anomalous behaviour or insider threats; furthermore, establishing proper procedures and responsibility models to quickly and accurately assess where vulnerabilities exist and their severity, will help ensure that quick remedy actions can be taken when security problems emerge.

In the future, developing the security architecture, technologies, management and response mechanism will no longer be perceived as a cost-centre burden for companies, but rather, as critical capabilities to safeguard the performance and security of daily business operations. Crafting a comprehensive cloud security plan, adopting the best industrial practices, and choosing a professional cloud service provider with strong security credentials to work with, should be an imperative subjects in a CXO’s agenda.

Continue Reading

Expert Speak

Why You Should Use a VPN While Traveling

Published

on

According to a survey conducted by NordVPN, 50% of travellers use public Wi-Fi while on the road. However, only 20% of them use a VPN (a virtual private network) to protect themselves while being connected to a public network. “Travelers connect to public Wi-Fi in airports, cafes, parks, and trains. Some even use public computers to print their visa information or flight tickets. A VPN in those cases is crucial if you want to make sure that your vacation will not be ruined by cyber criminals. Nobody wants to lose access to their device or their bank account during a trip to a foreign country,” says Daniel Markuson, a cybersecurity expert at NordVPN.

As International VPN day (August 19th) is just around the corner, Markuson lists all the benefits offered by the service.

Enhanced online security
The main purpose of a VPN is to keep its user’s online connection secure even when they are away from home. Hackers can set up fake hotspots or access unsecured public routers and this way monitor users’ online activity. Once a user is connected, criminals can intercept their internet traffic, infect the device with malware, and steal their victim’s personal information.

When authenticating themselves on public Wi-Fi, users often need to type in their email address or phone number. However, if a user has accidentally connected to a hacker’s hotspot, they could be exposing themselves to real danger.

A VPN hides users’ IP addresses and encrypts their online activity. That means that, even if a user is using a malicious hotspot, the hacker behind it won’t be able to monitor their activity. Therefore, getting a VPN for travelling abroad is essential if you want to stay secure and private online.

Grab the best deals
Depending on the country in which you’re located, the prices for airline tickets, car reservations, and hotels might vary. That’s because businesses know that people in different countries can and will pay higher amounts for certain products and services. If you use a VPN for travel, you can hop between servers in different countries and find the best deals available.

Make the best of additional VPN features
As the industry is evolving, many VPN providers add new features to make their users’ experience even more wholesome. NordVPN, for example, recently added the Meshnet feature that lets travellers connect to other devices directly no matter where in the world they are. This enables users to form a remote connection with their home or office PC from anywhere in the world to share files or for other uses.

However, having said that, please check local laws and regulations about using VPN services on your devices, before you do.

Continue Reading

Expert Speak

API Security Moves Mainstream

Published

on

Written by Cameron Camp, Security Researcher at ESET

As swarms of IoT gear, seek richer data retrieval from their cloud mother ships, the more robust – and more potentially dangerously hackable – API interfaces get a fresh push toward center stage. With Google’s API security initiative Apigee, API security is growing up. And it’s not just IoT. Machine-to-machine data behind super-slick UX designs need seamless interfaces that help move masses of data with less friction, offering more responsive mashups of tech polled from locations far and wide.

But to make this all “just work”, those more robust interfaces bake in more robust attack possibilities to potentially slurp data wholesale to parts unknown and at record speed. Recently, we wrote about the spate of new startups at this year’s RSA Conference that tried to get attendees to wrap their heads around how to make sure an API doesn’t suddenly start misbehaving or does stuff no one knows about until it’s too late. It’s not just us: our friends at DarkReading purport to tally the mounting business losses associated with API hacks.

And now the heavyweights are moving into this space too, cementing API security as “A Thing”. Google’s Apigee Advanced API Security for Google Cloud aims to let organizations identify API misconfigurations and thwart malicious bots, the former being one of the main culprits of API security incidents. Luckily, there are tools from folks like the OWASP API Security Project where you can do a health check on your own APIs, or on those you interface with, which can serve as a baseline. They also have a drill-down about the most common misconfigurations and how to avoid them, so it’s a great place to start.

As we mentioned in our previous post, there was a bevvy of API security startups darkening the halls at RSA, so you may also have some commercial options, with more coming in the future. Expect to continue to see API hacks ramp up as companies wrestle with the prospect of securing yet another interface, this time an industrial one that sits at the heart of the cloud and big data, and – configured wrong – can allow vast troves of data to be siphoned off around the world to parts unknown. Just make sure it’s not your data.

Continue Reading
Advertisement


Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.