Narrator 00:00
Music. This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. I’m your host, Jason Pufahl, joined in our main studio by Michael Grande. And joining in what do we call it? CyberSound South Yeah, by Steven Maresca and Matt Fusaro. Thanks everybody for joining. And we were actually going to spend some time today looking ahead at 2025, and making some sort of security predictions. And what we’ve discovered, though, is it’s not really practical to put four people into our main our main space. So we actually have both Steve and Matt, who are on this all the time, joining from 25 feet down the halls in our in our conference room. So thanks guys for doing that.
Steven Maresca 00:52
There. You could wave, if the doors are open.
Jason Pufahl 00:55
You could wave the doors are open. So but it looks pretty professional. We’ve got the youth.
Matt Fusaro 00:59
It does make it effort with-
Jason Pufahl 01:02
So Steve, we ordered these actually intentionally. So Steve, you’re up, you get the opportunity to make that the first look ahead.
Steven Maresca 01:13
I think we’re starting in doom and gloom, and it’s my job to talk about geopolitics and the facts that we can expect we’ve lived in a luxurious world that’s been stable, and now we are dealing with a multi polar world with some instability. I think is maybe the nicest way to put it. The US government, at least, has issued several advisories in the last few months to expect sabotage attacks and things of that variety. And what I want to basically say is that the luxury that we had was solely to think about our risk relative to cybersecurity, cyber attacks, opportunistic theft, things like that. What we should expect in the future with our new reality, here are hybrid attacks. Europe is experiencing this today more than we are, candidly, but the past election cycle certainly had some of what I’m referring to, and by that I mean disruptive attacks that have nothing to do with technology, bomb threats, negative PR that’s been manufactured fake customers trying to obtain proprietary information just by engaging organizations through fraud, intrusive surveillance. There’s been a lot of reports of drones internationally, invading airspace and things like that, just fine in general and causing people to feel a little more paranoid. What’s all this mean? Ultimately, the landscape has shifted. We need to be thinking a bit more broadly, and what was historically something more defensible from a network perspective or a multi factor identity protections sense, now it’s more critical thought, vigilance across a lot of different areas, and trying to just anticipate where we might be vulnerable organizationally, that’s it. Hopefully nothing really more heated will occur. But it’s a different world going into 2025 and we need to recognize that.
Jason Pufahl 03:17
so maybe just to follow up on it. Do you think this is more specific to, like, the defense industrial base, or supply chain, or, you know, the power grid, like, you know, is there a specific sector that you think is most prone to these types of attacks?
Steven Maresca 03:34
I mean, realistically, I d o think that the defense industrial base is a focus. But shipping providers, DHL, you know, they’ve had flights that have gone down because of incendiary devices in Europe, it’s so logistics in general, not necessarily pure defense and industrial base. I think your average municipality might be a target, if you have, you know, SCADA equipment and things like that, open and accessible to the local network or not air gapped. It’s hard to answer. Bottom line is, we should anticipate threat actors probing at multiple flanks, because their goal is to distract and consume our time.
Matt Fusaro 04:20
Yeah, I think there’s gonna be a lot of companies that end up being collateral damage because of what they’re targeting or just used as a first step into those organizations. So you these organizations might not be defense contractors themselves, but they might be providing a service they use, or a vendor of that particular company that is the actual target, but could be a step to get in there, right? So…
Steven Maresca 04:42
Right. You know, we’ve spent a lot of time talking over the last few years of the smash and grab attacks, the short end time frames associated with ransomware. What we’re talking about here is this shift towards more long dwell time, quiet, stealthy presence in networks.
Jason Pufahl 05:01
Higher level of effort, absolutely. So maybe segueing a tiny bit, and you said you started with doom and gloom. I’ll try to position mine then maybe on the positive side, I suggested that we’re going to see an uptick in phishing and social engineering style attacks and in the discussion preparing for this, I think, you know, part of our takeaway was, maybe that’s a benefit, because instead of seeing some of these, you know, technical drive bys and exploitation of vulnerabilities and the move a little bit to social engineering, maybe that’s an indicator that a lot of the technical controls that people are putting into place are working better, right? But we, we are seeing things that take a little bit more effort, you know, in the social engineering space, actual sort of, you know, real life voice calls and real life teams calls people, people using technologies to get in front of other people. But in a more, I guess I’ll call it a more traditional way, you know, short, and sending an email and hoping to do something into clicking the link. We expect to see more of that, because some of those technical, technical controls are working better. And, you know, they’re really trying to develop and underscore that element of trust and sort of, you know, using the human, the human element now, to exercise these threats.
Steven Maresca 06:19
So I think it’s fair to say it’s already begun. In terms of that uptick in the last three months alone, we’ve had 10s of customers or non customers experience those directed social engineering calls, bypassing all the technical controls and going to the people who can let them in through the front door, so to speak. So expect more of it.
Jason Pufahl 06:43
And it’s, you know, it’s hugely effective. I mean, that, that has been the fishing, let’s face it, right? I mean, social engineering has been the common element for almost every incident we’ve managed in some way, just a just a different form of that.
Michael Grande 06:57
And we’ve talked, we’ve talked a lot about the utilization of different tools and AI and sort of voice replication and things, is that, is that something still on the horizon?
Matt Fusaro 07:08
Yeah, and I think it’s probably what is driving some of the especially phishing attacks, right? A non-native English speaker now has the ability to create pretty convincing narratives that can be put through as a phishing attempt, right? Like you said, voice, voice replication is definitely being used as well. Yeah, the asymmetry is definitely different than it was a year, even a year ago. So while our technical controls are working and it’s now, attackers always go to what’s the least resistance, right? And that’s the people at this point.
Steven Maresca 07:43
and, you know? And another echo of that is that the more sophisticated things that we described as less likely a year ago or a year and a half ago, right, have been commoditized and now low costs to use by unsophisticated attackers. And that’s why we say more of it.
Jason Pufahl 08:00
Yeah, that’s an important point, though, I think, right, the ability for some of these, these utilizing technology like, you know, deep fake to create, you know, audio and video, it, it’s accessible now to non technical people, so you don’t have to be the sophisticated threat actor right to to to launch these attacks anymore.
Steven Maresca 08:21
On the other hand, though, we do need to emphasize increasing sophistication. On the defensive side of the spectrum, a critical takeaway is validating the identity of the people that is are claiming to ask for something. Zoom calls show an ID, have them come by in person. Whatever makes sense contextually is now a critical step. And that’s not just help desks. That’s finance and HR in terms of engaging, you know, those offices. So lots of organizational need to do exactly that same sort of thing.
Michael Grande 08:55
You know, one of the other aspects that I look forward to 2025 is sort of this. I’m not going to use the proliferation word, but this increase in third party risk assessments and security assessments of a lot of our different vendors. You know, what do you feel like is driving that? And do you think that that’s just going to continue? Almost feels like it’s been pushed downhill. Right? Large enterprise has been dealing with these things for a long time. We’re seeing it now mid market, small, small business, where you see that going,
Matt Fusaro 09:26
Yeah, it is one of those few times where the trickle down effects work, where enterprise, what enterprise is doing, has affected SMBs quite a bit in terms of the security questions that they’re going to ask them before they purchase their products, right?I think a lot of that has has driven them to be a little bit more prepared so that they can make their sales to the enterprise. You know, insurance is driving that as well. There’s been quite a few questionnaires that have grown considerably in size. You know, you’ve seen a lot of that, right, or first hand. So, yeah, I mean, I think, I think a lot of it is awareness and just being a little bit more cognizant. About who you’re doing business with, so they want to ask more questions and have it on paper versus kind of a wink and a handshake that it used to be, yeah.
Jason Pufahl 10:07
A nd I think there’s a there’s a piece of the regulatory requirements now that, like, you know, the contractual language is getting flowed down to smaller organizations that might otherwise not have probably had the rigor to do those, and now they’re, you know, they’re being pushed to a little bit more. And I think, I think that’s a really good thing.
Michael Grande 10:27
Yeah.
Steven Maresca 10:28
Yeah. The flow down requirements that are common for a lot of our customers are D far as an ITAR and things in the defense realm, but also GLBA from the banking and finance world. So those are obligatory actions for those organizations to take, and all of their vendors, even if they’re not as regulated, are seeing that echo. The overall maturity has increased across the board. So I think it’s a net positive, even if it does require more work to fulfill.
Jason Pufahl 10:55
Well, and I’m optimistic as more vendors are requested to fill these out, that we start to see a little bit more of a standardization, because that still has been a challenge. That still has been a challenge, right, where you’re not able to simply request and get something in a in a common format. And I think we’ll see, we’ll see an improvement there.
Steven Maresca 11:10
I hope so, because it’s still a mess.
Jason Pufahl 11:12
It’s still a mess for sure.
Michael Grande 11:15
You know, as we sort of wind down ’24 and look into ’25 you know, the in, you know, independent coin, you know, Bitcoin value, cryptocurrency, right, increased in value. Does that lead potentially to more security incidents, or is that just a, you know, another mechanism, you know, as far as a translation rate or a currency rate that the bad actors are going to use, you know, to ultimately get to the same end?
Matt Fusaro 11:45
Yeah, it is. So like I said, there’s a couple couple things there for from, my opinion, threat actors are usually trying to move this stuff really quickly. So they’re not going to hold on to a Bitcoin for three months, four months, while something happens to it, right? It’s going to a wallet, and then it’s going to change to a fiat currency, right? So I think a lot of it has to do with market conditions there which these may or may not be favorable. I actually have not seen the data. I’m sure there’s something out there that kind of compares the rate of cyber incidents compared to what the actual crypto prices are. But you know, kind of what we talked about prior to this episode. It’s, you know, Bitcoin might be, it was $99,000or $100,000 right now, but it doesn’t necessarily mean it’s particularly valuable in whatever currency the attacker is using, right? So they still need a company to actually pay for something.
Michael Grande 12:39
To still pay. Yeah.
Jason Pufahl 12:40
Right.
Matt Fusaro 12:40
Most companies don’t have a Bitcoin to give somebody.
Jason Pufahl 12:44
And they’re only, you know, they’re only willing or able to pay so much. So whether it’s your one Bitcoin or a half a Bitcoin or two Bitcoin, still gets to the same dollar.
Steven Maresca 12:55
Though, it is more lucrative today than it was six months or a year ago to make these currency exchanges. So just from that perspective, sure there’s potentially a more, higher benefit to transact. So if there is a reason to do it, perform an attack, then sure that might be justification. But it is more complex than just the dollar figure associated with the…
Jason Pufahl 13:19
Yeah. I mean, I think an important takeaway, and if you didn’t really make our sheet exactly, but it’s ransomware still continues to be an effective way to extort money. We see a lot of it, and your businesses have to prepare around the fact that that’s a potential. You know, potential impact is coming here, just like it was last year.
Michael Grande 13:36
Yeah.
Steven Maresca 13:38
Tough it’s worthwhile stating that even if it’s not a ransomware encryption, encryption event, a mere business disruption, still has the same distortion characteristic to it, and the payouts would be the same regardless of whether or not crypto is involved.
Jason Pufahl 13:54
So Matt, we were going to chat a little bit about cloud assets, I think.
Matt Fusaro 13:59
Yeah, so 2025 I think, is probably going to continue the trend of misconfigurations being an issue. And when I say misconfigurations, so many companies, especially now in the SMB space, are moving either services or their infrastructure into the cloud, I think it’s cloud adoption has kind of hit critical mass with, with our industries now. So what we’re seeing a lot of is misconfiguration of things like MFA in order to protect a lot of those applications. We’re seeing a lot of data repositories, whether they be things like ERPs, whether it be things like just plain old storage buckets out in the cloud, just not configured properly. So I think companies are going to have to start investing in ways to detect core configurations or configuration drifts, to actually detect the issues that cause that type of data leakage. And I think it’s going to become much more common for cloud assets to be compromised versus on prime infrastructure,
Steven Maresca 15:06
And the configuration drift is a maintenance and sustainment exercise. But I want to emphasize, you know, commissioning of new services is equally problematic in this regard. You know, a deployment of a new ERP or a CRM for a company might involve test infrastructure that is accessible to the entire world, that contains real world organizational data. That’s not being locked down like production is. And the same aspect of configuration applies here. Protect your data, whether it’s being deployed in a lead into something that’s a stable state or not afterwards is as important as the beginning.
Matt Fusaro 15:45
Right.
Jason Pufahl 15:45
And I think it’s important. And I mentioned this, we were planning for it. It’s an age old problem to deploy, you know, test and development infrastructure, maybe not with the same security controls, and yet, still, you’ll use some of your production data, like, that’s a really common thing, so that the basic tenants of protecting your data, regardless of whether it’s in production or test, sort of remains the same. I think, Steve, your argument is, by using some of these cloud applications, is, it’s more, you know, full world accessible, maybe, then, then, traditionally, right?
Steven Maresca 16:17
Yeah, a a loosely deployed test machine used to be behind a network perimeter. It’s more defensible, even if it’s not really deployed with thought behind it. Now, now it’s, you know, reachable through any internet browser without a perimeter in place. So that’s fundamentally the problem.
Michael Grande 16:38
So, you know, as we look, you know, we mentioned AI a couple of times as it relates to sort of the SOC and what threat actors are using it for. Matt, what thoughts do you have on that? Looking into 2025.
Jason Pufahl 16:53
And we should say SOC security officer, right? So the abbreviation folks that monitor you know, events coming out of security systems.
Steven Maresca 17:03
Although I would be supportive of a puppet show for cybers…
Jason Pufahl 17:07
We could do that- We could do that another time.
Matt Fusaro 17:09
I don’t know if I got the stills for that, but we’ll see. Yeah, so for security operations centers, a lot of them are has a lot of pressure to automate how they handle incidents, how they look at data, how they respond to things. AI is becoming a big part of that. The goal of a lot of operation centers at this point is to take the tier one out of the process a little bit and how your tier two and tier three respond to real incidents that aren’t noise. So what I see happening there is attempts by attackers to either confuse AI or poison the AI systems that might be running your SOC, or just avoid them completely and drive their tickets to be closed automatically. So it’s kind of the obscurity, thing that they can use to bypass controls, or just stay hidden a little bit, a little bit where analysts may not have human eyes on some of the things that are happening because they’re being automated, automatically closed. So it’s might be a risk that we look at this here.
Steven Maresca 18:16
Like a really simple example of that is the fact that events might be escalated if they originate from a country not associated with the business, right? You can bypass that and stay below the threshold of escalation and alerting if the threat actor just comes through something domestic, you know, through Indiana, Kansas, something that doesn’t make impossible travel, a facet that right at leak to an alert, very easy to think about as a mechanism that deceives the the algorithms that we’re talking about,
Jason Pufahl 18:48
Right? And there’s a lot of, obviously, there’s a lot of value in automating a lot of that alert review, but then it does come with some some associated work. So I think it’s really important that there’s, you know, human, human eyes, looking a lot of the at a lot of these events, and not relying too heavily on the automation part of the AI part.
19:05
Yeah, you have to automate what’s in the SOC, but you got to do it carefully.
Jason Pufahl 19:10
So we said SOC again. So we are, we’re a Connecticut based company, and, you know, University of Connecticut has the, I think the the best puppeteer program in the country. That’s true, right? So I should, we should, maybe. Now, you gotta be thinking about it. I feel like I should reach out to that looking forward to 2025.
Michael Grande 19:28
I’m gonna learn more about that. I That’s a, that’s a is factoid.
Jason Pufahl 19:33
There’s a Puppetry Museum, downtown Storrs. It is a well regarded puppetry program, basketball side puppets. I mean, there was some unbelievable puppets in that, in that museum. So, so we, I think we have one last one, last one Steve, that you would put. Right, security is a serious topic. But it is doom and gloom to target puppets.
Steven Maresca 20:02
I guess, but I close out the 2025 look ahead by talking about auditing and audits. The main message is organizations are already seeing and should expect increased scrutiny, and some of that has to do with some of the regulatory frameworks going into effect that weren’t in the last several cycles. Some of that has to do with the SEC literally charging fraudulent activity and behavior of some of the big named auditors. They settled it out of court for multiple tens of millions of dollars. That’s how serious some of these allegations were. But as an industry, auditors, whether in finance or otherwise, are kind of acting as others unnoticed and what might have been a 10 question sheet sent over to a company last year is now 750. The tone of interaction is different, and the level of effort required to meet auditor demands is higher. That’s all, it’s I think it’s a doubling down of the scrutiny to kind of course-correct and over-correct for the SEC’s oversight. That doesn’t mean it’s time to panic. It just means make sure that you’ve produced evidence that supports your compliance objective. That’s it. Keep doing what you’re doing, just make sure it’s documented,
Jason Pufahl 21:28
Yeah, yeah. And you’re on that end. I think we are. We’re starting to see more, more companies, more and smaller companies have to do compliance activities that they probably, you didn’t have to do, and it takes a certain amount of rigor and but I think it does. It honestly does improve, especially now we’re starting to see some real improvements here on security postures under smaller companies.
Steven Maresca 21:51
It’s just another echo of the vendor, third party risk and the overall maturity improvements that make social engineering more attractive. Across the board, everybody’s getting better, therefore, we have to hit some of the higher notes to ensure we’re keeping the ship upright.
Jason Pufahl 22:09
Yeah, and so, and I feel like, you know, one of the main themes that we’ve got here in these predictions is a little bit more of a focus on the person rather than technology. I mean, there’s, there’s, there’s definitely an element that where the technology is generally widely deployed for a variety of reasons, right? Insurance, compliance, etc. And people are still, they remain pretty easy to trick, in spite of, I think, an uptick in social awareness, yeah, yeah, just general awareness.
Steven Maresca 22:40
This, to me, feels like an inflection point, though, we’ve talked about that changing dynamic for multiple years now, especially as for by working from home and, you know, pandemic concerns and things like that, where multi factor was not widely deployed, but now we’ve reached saturation. Yeah, we’re at the point where what we were predicting is starting to shift, and I think it will make for very interesting landscape going into ’26.
Jason Pufahl 23:06
Right? Fair, well, you’ve got our set of maybe that looks like eight or so, eight or ten predictions. Maybe we’ll review next year and see how we did. But I think this is a pretty safe list. If anybody has any questions, wants to talk about more of these, is concerned about anything, reach out. We’re always happy to talk, but as always, we hope you got something valuable from today’s episode, and thanks for listening.
Narrator 23:30
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant. Stay resilient. This has been CyberSound and.
