As cloud infrastructure and, more recently, AI systems have become primary objectives for attackers, security executives are keenly concentrated on safeguarding these high-profile domains. It is a prudent approach as cyber criminals are turning to novel and advanced technologies to execute and escalate increasingly sophisticated assaults.
Despite the elevated focus on emerging dangers, it is easy to overlook conventional avenues of attack like human-driven social manipulation and vulnerabilities in physical security.
With adversaries exploiting a broader spectrum of potential entry points — both modern and traditional — security leaders must maintain a balance to ensure they can effectively address all risks.
The human aspect remains crucial in cyber crime
Although technology has been hyped extensively, it is not a universal remedy. It cannot supplant human expertise across all domains, and AI alone cannot replicate the inherent human capabilities of intuition and innovative thinking. Adversaries recognize this fact, which is why the more intelligent — and significantly more dangerous — ones employ a fusion of human and technology-driven strategies.
While major technical weaknesses often dominate headlines, the truth is that the weakest link almost always involves the human element. Virtually all attacks incorporate a social engineering component, and despite the buzz surrounding generative AI and deepfakes aiding in the amplification of such attacks, it is in human-to-human interactions where the most severe risks reside.
Synthetic content now permeates our surroundings, and individuals are increasingly adept at distinguishing it from reality. Whether we eventually reach a point where this is no longer feasible is a discussion for another time. However, presently, the most perilous and efficacious social engineering assaults still predominantly hinge on personal conversations, whether conducted via telephone, email, or face-to-face. Indeed, a skilled attacker can establish trust and fabricate deceptive relationships in ways unmatched by AI or deepfake technology.
The persistent threat of cyber espionage
Consider state-mandated cyber espionage, for instance. Proficient social engineers starkly contrast with the typical assortment of independent cyber criminals operating in the shadowy realms of the dark web, who generally prioritize quantity over targeting specific entities and individuals. These adversaries may target data systems, but their supreme weapons lie in their abilities of manipulation and deceit.
Technology still has far to progress before it can rival the enduring tactics of spycraft.
When confronting an adversary capable of adeptly masquerading as an internal staff member or any other trusted individual, solely relying on technology to counter the threat offers scant protection. This is not a flaw in technology; it is a flaw in the system, thus underlining why the human element must always constitute a critical component in any cybersecurity strategy.
Naturally, this does not discount the pivotal role that technology plays in fortifying your cyber defenses. It unquestionably does, especially since an increasing number of routine threats are being automated or perpetrated en masse by less skilled or experienced attackers. The significance of technology — particularly AI-driven cybersecurity automation — primarily lies in its capacity to liberate time for security leaders to concentrate on threats that technology alone cannot resolve.
Discover cybersecurity services
It’s not solely about the cloud
A majority of business information is presently housed in the cloud, and this proportion continues to grow. Many enterprises, particularly smaller firms and startups, rely exclusively on cloud infrastructure for data storage and other IT functions. The surge in AI adoption, given its substantial computational demands, further propels the cloud’s prevalence.
However, cloud computing may not be the optimal solution in all scenarios. On-premises infrastructure remains the favored choice for high-performance workloads necessitating exceedingly minimal latencies. In certain instances, on-premises computing may also be the more cost-effective alternative, a trend unlikely to alter in the foreseeable future.
Despite the migration of numerous companies to the cloud, this does not imply that they do not retain sensitive data on their premises. For example, edge computing, which enhances data processing proximity to the point of use, has emerged as a critical enabler in specific use cases. Instances include smart energy grids, remote monitoring of industrial assets, and autonomous vehicles, where uninterrupted internet connectivity cannot always be guaranteed.
The more astute and well-funded adversaries are not solely fixated on cloud-hosted infrastructure. They are also targeting local servers and cyber-physical systems like industrial control systems and hardware supply chains. The minimal collaboration often observed between logistics, production, and cybersecurity units renders these risks even more severe.
Ransomware remains a prominent threat directed at on-premises systems, notwithstanding the slight decrease in attacks over the past year. While cloud systems are not impervious to ransomware assaults, the overwhelming majority target bare-metal hypervisors and local servers. In a recent event, the Akira ransomware group reverted to its earlier double extortion tactics, experimenting with diverse code frameworks to penetrate systems running ESXi and Linux.
Botnets present another escalating concern as the number of IoT devices continues to surge. Utilized to launch distributed denial of service (DDoS) strikes involving thousands of devices, these botnets primarily zero in on unsecured IoT devices, specifically those overseeing and controlling industrial machinery and critical infrastructure. A recent report unearthed that DDoS attacks against critical infrastructure have surged by 55% over the past four years. While these attacks do not involve the direct extraction of sensitive data, their potential to cause widespread disruption prompts adversaries to leverage them to divert focus away from graver threats.
The enduring significance of physical security
Of paramount importance as security leaders fortify their cloud-hostedresources, they must remain vigilant about the dangers facing their physical structures. Sometimes, the simplest route to the cloud is from within.
Thin endpoints and simple terminals — commonly utilized in secure settings such as healthcare and finance — may provide attackers with an entry point into broader systems, including cloud infrastructure and remote data centers. Edward Snowden demonstrated this while employed at the National Security Agency by extracting 20,000 government files stored on NSA’s servers located 5,000 miles away from its headquarters, all done without sophisticated technology. While this incident dates back to 2013 and the NSA has since upgraded its physical security measures, the threat remains as relevant today as it was back then.
Although most thin clients now feature multiple security layers, including encryption and multifactor authentication, these defenses alone may not completely fend off physical breaches. If an intruder gains entry to a terminal — potentially through social manipulation — they could compromise it by using unauthorized accessories or altering the device’s firmware directly. This breach could permit access to the wider network, facilitating the introduction of custom malware that escapes routine security scans.
The proliferation of IoT devices is another primary factor in the expansion of surface attack points. These devices often lack sufficient security measures, thereby offering attackers a potential gateway into the broader connected infrastructures. The widespread deployment of these interconnected technologies in sectors like smart cities, critical infrastructure, and transport networks significantly amplifies these vulnerabilities.
In essence, if a trespasser manages to bypass your physical defenses, these connected systems provide much simpler avenues to an organization’s critical assets rather than attempting to breach heavily fortified cloud barriers.
Cloud data may not be the ultimate target
In some scenarios, the goal of attackers might not be the data stored in the cloud. Many enterprises, particularly those subject to strict data residency rules or necessitating high-speed performance for real-time applications, still retain their data on in-house servers.
Some of these systems are air-gapped, indicating complete isolation from any networks, including the internet itself. While theoretically more secure than cloud-hosted servers, their security cannot be assumed. For instance, individuals with physical access to the servers could compromise them, either intentionally or unintentionally.
Physical security elements like CCTV and biometric security checks are crucial in such cases. However, safeguarding against deliberate physical tampering is only part of the challenge. Skilled social engineers might orchestrate indirect attacks, deceiving unsuspecting employees into taking specific actions — like lending out a biometric security access card.
These adversaries typically do not rely on email or AI-driven mass attacks; instead, they are more likely to deceive individuals in person, a tactic as old as human history. In reality, the assailant could be anyone, whether a disgruntled ex-employee, a hacker working on behalf of a rival firm, or even a rogue state.
Connecting digital and human security realms
Relying solely on technology or human intervention is insufficient to safeguard an organization against the multitude of threats lurking out there. Balancing both components, starting with human factors and leveraging technology to enhance their capacities, is essential. A multi-layered security approach typically commences with securing physical access to any data-carrying or interconnected systems.
The subsequent defense layer involves human aspects, predominantly centered on security awareness training. Yet, many of these programs fall short, lacking practical relevance, relying excessively on generic content, or focusing too heavily on technical aspects beyond the target audience’s comprehension.
Phishing simulations often exhibit similar limitations, concentrating on common baits such as current events, urgency, or direct threats. However, sophisticated attackers tend to deploy subtler tactics to solicit responses. This could be as straightforward as disseminating messages about routine updates like changes to company dress codes or remote work policies. Though seemingly trivial, these topics can spark interest, particularly when they impact daily routines and work-life equilibrium. This interest could be exploited by attackers to trick unsuspecting individuals into sharing sensitive details via a fictitious survey.
Similar to other security measures, physical systems and awareness training are only effective if regularly tested. This is where physical red teaming plays a crucial role. Unlike IT-focused red teaming, which delves into technical assessments like penetration testing, physical red teaming involves teams attempting to breach restricted areas and systems. Through a blend of simulated social engineering attacks and technological exploitation of physical security systems, red teams aim to bypass physical security measures or impersonate staff, thereby uncovering potential vulnerabilities that might otherwise remain undetected. This aspect underscores the valuable contribution of red teams in a comprehensive information security blueprint.