One of the flashiest and most sophisticated features of Apple’s $1,000 iPhone X is Face ID. In addition to being fun and futuristic, Apple touted this as a way to significantly upgrade security over the more commonly used passwords or Touch ID. But within days of hitting the market, the phone’s facial recognition technology had been hacked.
A Vietnamese security firm reportedly tricked an iPhone X into unlocking it using nothing more than a 3D-printed plastic mask with some makeup and paper cutouts applied. This workaround is fairly easy to execute and costs just $150, which seriously discredited Apple’s claim that Face ID is fundamentally more secure and sets a dangerous precedent moving forward — for both users and organizations.
Still, and for a number of reasons, it’s unfeasible to think that 3D printed masks are the next big threat in cybersecurity. What is far more important to focus on is the fact that biometric security — fingerprint authentication, facial recognition, etc. — is significantly more secure and convenient than passwords, yet it also has flaws that make it vulnerable to hackers. So if one of the world’s greatest tech companies can fall short with this type of security, where does that leave the rest of cybersecurity?
What 2017 Portends for 2018
The release of the iPhone X sparked a race among hackers hoping to be the first to bust the defenses. It was a pursuit partly born out of pride and competition, but a much bigger part was due to cybercriminals being more motivated and tenacious than ever these days.
Cybercrime was top of mind during 2017, often for the wrong reason. While data breaches dominated the news cycle, they aren’t necessarily getting larger. Rather, hackers are getting much better and more refined at what they do. Some have even formed criminal groups that operate much like businesses, investing in technology and talent and carrying out strategic plans. These groups have a lot of resources at their disposal, including technology tools that are proving to be more advanced and accessible every day. The stereotype of the lone hacker in the basement no longer holds, then. Instead, we’re witnessing the evolution of a kind of cyber-mafia.
Moreover, cybercriminals — recently focused on profit — are now motivated by politics and cultural disruption. They are either state-sponsored, such as the recent revelation that North Korea was behind the WannaCry attacks or the Russian backing of the attacks on the Democratic National Committee. Or cybercriminals are carrying out ideological agendas independent of any “official” entity, as was the case with the whistleblower Edward Snowden. For these reasons, today’s hackers are both highly determined and ruthless.
Regardless of whether a hacker is out for financial gain or cultural disruption, though, their strategies are largely the same. As opposed to casting a broad net to steal large pools of data, they’re consistently targeting very specific data assets and applications by going after specific individuals or striking unique system vulnerabilities. This is what makes the desire to disable the iPhone X’s Face ID so poignant: It reveals the increasingly targeted nature of cyberattack strategies.
Why Anyone Could Be a Target in the New Year
The HBO attack of last year is a great example of the current scope of these threats. Even if HBO had a sound cybersecurity strategy in place, few expected a cable TV company to be the main target of hackers, and even fewer anticipated that those hackers’ targets would be not money but intellectual property, like the script to a future “Game of Thrones” episode. By stealing intellectual property, hackers were able to put millions of dollars of ransom on the table, as well as disable HBO’s operations and disrupt its entertainment agenda.
Lesser-known but even more illustrative is the attack on an offshore law firm located on the Isle of Man. Confidential financial information about the world’s richest people was stolen and later publicly released to presumably expose the shady dealings of the super-wealthy in a move reminiscent of Robin Hood.
Both incidents prove that any company with valuable intellectual property or data that can be personally, professionally, or politically embarrassing is at risk. Now that cybercriminals have so many means and so many motives, the threat landscape will accelerate even faster. Organizations should expect to see a higher number of targeted attacks in the coming year.
How Companies Can Still Maintain an Advantage
If there’s any silver lining to these developments, it’s that targeted attacks are easier to dissect and study because they rely on specific strategies. That leads to a better understanding of the present and future threat landscapes and the kinds of protections now necessary.
When cybercriminals can’t find an invitation into a network, they look for easy vulnerabilities to exploit instead. Those are most often found in outdated legacy systems or on-site IT that is not subject to the beneficial updates of the cloud. The unfortunate fact (though one that also illustrates the importance of good cybersecurity practices) is that the data most likely to be targeted is often underprotected.
Many of today’s targeted attacks, such as business email compromise for instance, rely on social manipulation, which is why cybersecurity training is essential for an organization’s workforce. Practicing good governance, providing education and support through IT teams, and acting according to a comprehensive cybersecurity plan are all steps an organization can take to foster a company culture that centralizes and standardizes cybersecurity.
Moreover, protecting unstructured data should be one of an organization’s primary goals. Unlike structured data — such as financial information or Social Security numbers — that organizations know to protect, unstructured data is the data on an enterprise’s network that’s valuable but not clearly slotted into a secured system. HBO’s script to “Game of Thrones,” for example, was unstructured data. But a lot of unstructured data is found in the email inbox, which is full of sensitive information that often exists outside the majority of security protocols. Knowing the value of unstructured data, hackers often seize any opportunity they can to control it and then ransom it back to the affected company.
Ultimately, today’s and tomorrow’s cyber landscapes are fraught with threats. But organizations that prioritize comprehensive cybersecurity strategies with user education, good governance, and cybersecurity tools and that recognize the value of their unstructured data can keep themselves safe — even when it seems like the world is constantly on the brink of falling prey to hackers.
David Wagner has more than 25 years of experience in the IT security industry, and serves as the president and chief executive officer of Zix.