Rachel Tobac is a hacker and the CEO of SocialProof Security, where she educates companies on phishing and hacking prevention. Here’s her advice for next year.
In an ever-changing cybersecurity landscape, cyberattacks and prevention against them move in lockstep. Our world is increasingly digital, especially in the workplace, and more and more businesses and agencies (including our government) are prioritizing security measures.
No industry is immune to increasingly sneaky cyber threats, and we need innovative ways to prevent them. As we head into 2022, we’re learning from major hacks of the past year, including many state-sponsored attacks. Recently, we consulted a panel of experts in a webinar focused on cybersecurity predictions in 2022, including SocialProof CEO, Rachel Tobac, who specializes in training companies to prevent hacks.
We had even more burning questions for Rachel about ways to look at cybersecurity in 2022. Read on for her advice as we head into next year.
What security priorities can companies keep top of mind as we head into 2022?
Rachel Tobac: It sounds familiar because it’s so essential—prioritize the basics that don’t always feel basic to implement:
- Get your organization a password manager and avoid reusing passwords—that’s one of the easiest ways for me to hack your organization. Then work to upgrade MFA and make it mandatory.
For those with admin access, move them toward a hardware-based MFA (like a Yubikey), then work to transition the rest of the organization toward hardware-based MFA over the next year if it makes sense for their position. If your company could benefit from a how-to on migrating to FIDO security keys, I recommend this fantastic blog by Nick Fohs and Nupur Gholap on the Twitter Security team.
- Get anomalous behavior detection, audit and limit admin access, and implement 2-person sign off for sensitive actions on the admin panel.
- One tool I recommend for organizations who are concerned about their employees potentially getting compromised on mobile devices is iVerify; it’s a mobile security app by TrailofBits. It has device scan and threat detection capabilities to help mobile phone users stay secure on their device, because if I successfully hack your mobile device that may impact both your personal life and your work environment!
Are there any upcoming developments in cybersecurity that you’re looking forward to?
RT: I’m particularly interested in the technology currently being developed and tested to combat mis/disinformation on social media platforms. There are a number of tools that are being tested to detect deepfake audio, video, and photos. Some of these kinds of software analyze media (like photos and videos) to give a confidence score about whether or not it’s manipulated media. I think this technology should be heavily prioritized in 2022 by social media companies and tested at the upload stage so that these social media companies that we rely on can work hard to detect and reduce manipulated media on their platforms. The teams that work on this software will need to be extremely intersectional, with a focus on including historically marginalized individuals, to ensure that this protection software is built and tested responsibly.
What are some new risks that could come with the actualization of a “3D” internet model like the metaverse?
RT: There are so many risks, particularly around abuse, account takeover, and harassment. A good framework of questions companies need to ask themselves before launching or investing in a new environment like the metaverse is:
- How can this be abused, how can vulnerable people be harassed and how can we prevent abuse?
- How will we prevent account takeover for user accounts via support channels? (As these avatars will represent real people with real consequences, this will be essential!)
- How will we verify identity for urgent support requests?
If those questions don’t have good answers yet, I recommend we wait to launch!
How can companies protect against new technical attacks that are starting to make the headlines?
RT: I believe that in 2022 we are going to see more mainstream AI-based social engineering attacks—where attackers leverage machine learning and artificial intelligence to build the right believable pretexts (who they are pretending to be) for the moment, and use AI for believable audio-based attacks.
We’re seeing this on an extremely small scale right now, for instance with the voice deepfake scam used to thwart bank voice authentication protocols resulting in a $35 million attack, but I do think this type of technology leveraged for cybercrime is going to increase in 2022 and beyond. Employees, leaders, and individuals will need to be politely paranoid and update protocols to include two methods of communication to confirm identity before giving access, sensitive information, or sending money.
As companies continue to operate with a hybrid WFH model, what sort of risky security behaviors would you tell them to avoid?
RT: There are so many risky behaviors that I see often! First and foremost, I hope that organizations continue to use multiple methods of communication to confirm requests and identity before taking actions. Since we can’t walk right up to each other’s desks anymore to confirm a request is legit, we have to build in those protocols while we work in hybrid WFH/office models.
I will also see that many employees are now learning the dangers of working on their personal devices or doing personal activities on their work devices. The issue with mix-and-matching the devices you use for personal or work is that I now can widen my possible pretexts (who I can pretend to be) when I’m hacking. If you’re reading personal emails in a separate tab on your work machine, I can target you with a variety of easy-to-build personal email attacks. My work-related pretexts are often narrower in scope, and you may have your guard up more for those emails.
If I can target you on your personal machine while you do work there, I can attack your machine with all technical defenses down. Your organization’s technical tools are only loaded onto your work device, so if I can bypass those tools on your personal machine then I can gain access to private sensitive personal and work data—great for the attacker!
Of course, the classic risky behaviors of reusing passwords, and not using the right MFA for your threat model are still prevalent. Companies should use a password manager; if you have admin access at work move toward FIDO security keys, stat!