In January of 2024, we forecasted the areas of attack or items that would be targeted by nefarious criminal hackers or major topics for cyber in general:
- Passwords – Password Management and associated security, usage of PassKeys would be imperative and more widely used. Stats have proved this to be true.
- AI Phishing – We witnessed generative AI improving and eliminating the “misspelled” words so commonly used to spot phishing emails.
- Deep Fakes – Throughout 2024, Deep Fakes were successfully used to “create credibility” and impersonate CEO’s and executives, resulting in millions of dollars in losses.
- AI leveraged in cyber security – Hacking incident response is being leveraged globally to aid with consistency and info sharing among cyber security teams. Unfortunately, AI is also being used to quickly survey victim environments, websites, etc. As predicted, governing Artificial Intelligence will prove to be a tall task, given every tech CEO who hosts an agent, reports… “our AI is doing things we don’t understand.” It’s imperative that we proceed with caution in using AI until we firmly grasp the associated security and blocking/governance associated with each instance.
2025 Cyber Predictions By ControlAltProtect™
For 2025, we predict the following areas will be primary cyber focuses globally:
- Artificial Intelligence – We will find many benefits to this powerful technology, but the risks will outweigh the gains this year. Shadow AI will likely be a significant source of global data leaks.
- Deep Fake technology will broadly impact governments, large cap, as well as and small to mid-cap businesses. Expect interesting legal implications to flood the headlines this year.
- Exploits with Generative AI – AI is already building malware or exploitable code and will be utilized to discover vulnerabilities and generate “Zero Day” attacks. The past six months data are very concerning, and we will likely see companies who lack detection experience major incidents. Utilizing AI in networks, significantly broadens the “attack surface” and when these tools are attacked, the operational impacts are unpredictable. Sadly, the IT team remediation efforts will be preemptively blocked by hackers and well thought through by these stealth criminals.
- Prompt Injection Attacks – Generative AI in many instances, is be used by hackers to write code and infect victim digital and web-based assets. This includes major technical resources used by IT companies globally. In other words, hackers quickly find holes in trusted tech tools and command them to perform nefarious actions never planned or coded by the original software developers.
- Biometric exploits – data sets that have already been gathered by various breaches and social media outlets, will be leveraged to steal identities and wreak havoc on high profile government individuals, institutions, corporations, and their supporting executives.
- Quantum Computing – At some point in the near future, this technology will break the encryption that we so commonly depend on to protect sensitive data. Those who do not properly prepare, will suffer.
- Email Phishing – this will remain the method of choice for criminal hackers. Those who do not invest in laser focused phishing detection, are highly likely to fall victim.
- Malware expansions – Fake encrypted messages, encompassing “secure links” via Dropbox, Microsoft, Amazon, USPS, Fed Ex, DocuSign, Google, Zix, etc. will be cited as the vectors of malware injections. Hackers are successfully taking advantage of organizations who do not properly train associates and configure their environments. Software libraries and files commonly downloaded from GitHub among other “trusted” sites are getting hit. Strict governance on who can download files and controlling user permissions, will become commonplace by December of this year.
- Multifactor Authentication – Sadly, so many Americans still do not have MFA enforced in their personal lives. From Facebook/Meta and other social media platforms to personal emails, hackers will continue jumping from organizational associates to the business networks. The unsettling statistics from Q4, 2024 will continue throughout this year. It’s imperative that all associates of your organizations take cyber security personal hygiene seriously. Very seriously! To pour salt in the wound, the “workaround” techniques that bypass login credentials and MFA are growing.
- Inadequate IT Companies – Our country is plagued with IT companies who are simply not trained nor prepared to protect those that trust them. We have already served as expert witnesses in countless negligence cases between cyber security victims and their respective IT providers. We founded our sister company and IT division, Client Secure IT Partners in 2022, due to our disappointment in IT companies overall. This area will continue to be leveraged by hackers, given many IT providers do not invest in cyber security.
Conclusion
Our predictions take into account the lack of focused and customized risk analysis and threat modeling so commonly discovered with American associations. Our cyber consultancy experience, hacking incident response cases, and Dark Web bragging from hacking groups, tell a sobering story. Corporations have invested billions in cyber security detection over the past decade. Yet, the attacks and victims keep stacking. Why? Today’s novice to sophisticated actors have one major common denominator….”Humans.” Human error and the lack of quality training, accounts for so many incidents. In our world of hustle and bustle, all hackers need is time. Time is their ace in the hole. Historically, criminal hackers have been inside the victim’s digital assets/infrastructure/network for 200 days or more. Patience has been the key to success among the world’s notorious hacking groups. Artificial Intelligence will speed up the enumeration (surveying) actions of hackers going forward, and in many cases provide them with solid footholds or persistence. Ungoverned AI will make todays hacking incidents look miniscule and challenge forensic tracing capabilities after the asteroid impact.
So how should Americans respond? First, we must adopt a totally different mentality if we are to have a chance at winning the global cyber war. We cannot continue putting cyber budgets at the middle or bottom portion of our annual capital allocations. WHAT IS MORE IMPORTANT THAN YOUR DATA and how many days can you afford to be out of business?” Find a victim and ask them if they now invest heavily in cyber security? Ask them if they trust their IT teams to do it? They shouldn’t IF they want to avoid hitting the windshield again.
Furthermore, we cannot task our talented IT professionals with performing heart surgery. Your “IT guy or girl” is likely very knowledgeable and capable of keeping your systems up and running. But the fact is, case after case we witness corporations over trusting IT engineers against scientific scam artists and digital hacking masterminds. The results are catastrophic, reputationally damaging, and often put thousands if not millions of Americans at risk. How many national level breaches and ransomware attacks must occur before we change the “American way,” relative to cyber security prevention? Without “cyber nerds,” layered detection, and laser focused monitoring, the future is grim.
Article by: Brent Panell, CEO & Co-Founder of ControlAltProtect & Hans Lemons, CTO & Co-Founder, ControlAltProtect. To learn more about winning the war on cybercriminals, Contact us.