How to separate true cybersecurity risks from hype

When new cybersecurity threats and data breaches hit the headlines every day, it can be hard to distinguish between real security threats and exaggerated buzzwords. And when you’re already juggling security and compliance from all angles, you need to know where to focus your limited cybersecurity resources.

Pluralsight’s Director of Security Curriculum and Research Bri Frost and Principal Author for IT Ops Tim Warner cut through the noise to help you prioritize actual cybersecurity risks.

Bri and Tim explain the truth behind two common cybersecurity myths.

The myth: Threat actors can now breach networks or launch “AI-powered” cyber attacks with the push of a button. 

The reality: “AI does not create new attacks,” said Bri. “It does not write Zero Days or exploits or vulnerable code in applications. You cannot push a button and immediately get initial access to a network. Humans do these things.”

In other words, AI alone can’t scan networks, uncover the applications and operating systems used, and write code or phishing messages that exploit vulnerable versions or end users. 

“All of these things cannot be done without human interaction,” explained Bri.

The myth: Supply chain attacks only impact Operational Technology (OT) networks or large organizations.

The truth: Supply chain attacks can affect any organization—and they aren’t as rare as you might think.

Think about your network and the software you use in your day to day:

• How many applications do you use?
• How many non-proprietary applications do you use that come from a different vendor? 
• How many libraries and open source or enterprise libraries do you think were used to create and write code to that application? 
• How many authors and engineers write code within that application?

All of these are potential initial access vectors for attackers. And the list grows when you consider the vendors you work with and all the software they work with, too.

“It's kind of an exponential risk. And the fact is, 98% of organizations are working with a breached third party vendor right now or have in the past,” said Bri. “When you talk about software supply chain attacks, it's not if, it's when.”

So what should organizations be focused on when it comes to cybersecurity? Phishing, deepfakes, and supply chain attacks.

While AI doesn’t create new attacks, it does increase scale and efficiency for threat actors.

“AI caused a rise in phishing, and gone are the days of the misspelled phishing messages that look silly,” said Bri. “These are good. They are accurate. . . .Spear fishing is very easy because AI can scrape information off the internet about a particular target and create a very clear, curated direct message that increases the percentage of someone likely to click on a button or put in their credentials.”

Combat this risk with increased phishing awareness training. “Don't click on links. Don't open attachments. If someone's requesting financial account information, make sure you validate that,” advised Bri.

Deepfakes pose another real cybersecurity threat because they can use AI technology to spread misinformation, exploit access controls, and trick users into sharing information they normally wouldn’t.

“Think about yourselves or your loved ones or your family or anyone you know that publishes videos or their voice on the internet that's available to the public,” said Bri. “All of that can now be weaponized for a scam or for an attack.

“The voice recognition is spot on. Any of your major accounts, finance accounts, or protected information that use voice recognition as a security control or as an access control now is seriously at risk.”

Digital watermarks, metadata, and various legislation and policies are in development to combat the misuse of AI-created content. But the biggest control right now is validation. 

“Create awareness for users that they have to double check and validate everything they’re seeing,” said Bri.

“Your security posture is only as high as the lowest security posture vendor that you're working with,” said Bri.

So what can you do to mitigate risk? Start by assessing and rating the vendors in your supply chain. The key here is consistent monitoring. 

“I see this too often where organizations have an annual audit. But as we know, your security controls and applications can be secure one day and vulnerable the next,” explained Bri.

Organizations need real-time event monitoring and automated remediation to keep risks to a minimum. It also helps to layer defense-in-depth strategies like DevSecOps with Zero Trust principles.

“Trust nobody. No matter who you are or who you think you are, you're coming into our app or service, and we're going to validate you. Not only validate, but revalidate. That would be my guidance to you. Build and continuously validate your trusted sources, vendors especially,” said Tim.

So what type of cybersecurity training do your teams need to stay up to date with these real threats? Role-based training is a great place to start since it aligns skill development with each team member’s responsibilities and goals. 

“If you just want to learn about these threats, there's literacy and foundations where you can start learning about security,” said Bri. 

These foundations are ideal for non-technical teams. But your security professionals will need more in-depth training. 

“Whether it's threat hunting, incident response, or traditional cyber defense, you really want to focus on emulation and adversaries and red teaming and breaking things,” she said.

Explore Pluralsight’s cybersecurity courses and watch Bri and Tim’s webinar on demand.