DeepFake: The Deeply Disturbing Implications Behind This New Technology

Reading Time: 3 minutes

DeepFake is a term you may have heard lately. The term is a combination of “deep learning” and “fake news”. Deep learning is a class of machine learning algorithms that impact image processing, and fake news is just that – deliberate misinformation spread through news outlets or social media. Essentially, DeepFake is a process by which anyone can create audio and/or video of real people saying and doing things they never said or did. One can imagine immediately why this is a cause for concern from a security perspective.

DeepFake technology is still in its infancy and can be easily detected by the untrained eye. Things like glitches in the software, current technical limitations, and the need for a large collection of shots of other’s likeness from multiple angles in order to create fake facial models can make this a difficult space for hackers to master. While not a security threat now, given how easy it is to spot manipulations, the possibility of flawless DeepFakes is on the horizon and, as such, yields insidious implications far worse than any hack or breach.

The power to contort content in such a way yields a huge trust problem across multiple channels with varying types of individuals, communities, and organizations: politicians, media outlets, brands and consumers just to name a few. While the cyber industry focuses on the severity of unauthorized data access as the “problem,” hackers are shifting their attacks to now modify data while leaving it in place rather than holding it hostage or “stealing” it. One study from Sonatype, a provider of DevOps-native tools, predicts that, by 2020, 50% of organizations will have suffered damage caused by fraudulent data and software, while another  report by DeepTrace B.V, a company based in Amsterdam building technologies for fake video detection and analysis, states, “Expert opinion generally agrees that Deepfakes are likely to have a high profile, potentially catastrophic impact on key events or individuals in the period 2019-2020.”

What do hackers have to gain from manipulated data?

  • Political motivation – From propaganda by foreign governments to reports coming from an event and being altered before they reach their destination, there are many ways this technology can impact public perception and politics across the globe. In fact, a quote from Katja Bego, Senior Researcher at Nesta says, “2019 will be the year that a malicious ‘deepfake’ video sparks a geopolitical incident. We predict that within the next 12 months, the world will see the release of a highly authentic looking malicious fake video which could cause substantial damage to diplomatic relations between countries.” Bego was right about Deepfake being introduced to the market this year, so we will see how it develops in the near future.

 

  • Individual impacts –It’s frightening to think that someone who understands this technology enough could make a person do or say almost anything if convinced enough. These kinds of videos if persuasive enough, have far reaching impacts on individuals, such as relationships, jobs, or even personal finances. If anyone can essentially “be you” through audio or video, the possibilities of what a hacker could do are nearly limitless.

 

  • Business tampering – While fraud and data breaches are by no means a new threat in the business and financial sectors, Deepfakes will provide an unprecedented means of impersonating individuals. This will contribute to fraud in traditionally “secure” contexts, such as video conferencing and phone calls. From a synthesized voice of a CEO requesting fund transfers, to a fake client video requesting sensitive details on a project, these kinds of video and audio clips open a whole new realm of fraud that businesses need to watch out for.

While the ramifications of these kinds of audio and video clips seem disturbing, DeepFake technology can be used for good. New forms of communication are cropping up, like smart speakers that can talk like our favorite artists, or having our own virtual selves representing us when we’re out of office. Most recently, the Dalí Museum in Florida leveraged this technology to create a lifelike version of the Spanish artist himself where visitors could interact with him. These instances show us that DeepFake is a crucial building block in creating humanlike AI characters, advancing, robotics, and widening communication channels around the world.

In order to see the benefits and stay safe from the threats, it is no longer going to be enough to ensure your security software is up to date or to create strong passwords. Companies must be able to continuously validate the authenticity of their data, and software developers must look more deeply into the systems and processes that store and exchange data. Humans continue to be the beginning and ending lines of defense in the cyber-scape, and while hackers create DeepFakes, the human element of cyber security reminds us that just as easily as we can use this technology for wrongdoing, we have the power to use it to create wonderful things as well.

Photo by vipul uthaiah on Unsplash

How Cyber Security Can Be Improved

Reading Time: 5 minutes

Every day we get more interconnected and that naturally widens the threat surface for cybercriminals. In order to protect vulnerabilities and keep pace with hacker methods, security – and non-security professionals must understand how to protect themselves (and their companies). And that involves looking for new ways to improve cyber security. To start, we believe cyber security can be improved by focusing on three areas: enterprise-wide cyber awareness programs, within cyber teams via persistent training, and in communication between the C-suite and the CISO. Check out our recommendations below and if you have a strategy that worked to improve cyber security in your company or organization, we’d love to hear about it.

Company-Wide Security Awareness Programs

Regardless of company size or budget, every person employed at a business should understand fundamental cyber concepts so they can protect themselves from malicious hackers. Failure to do so places the employee and the company at risk of being attacked and could result in significant monetary and reputation damages.

Simple knowledge of what a phishing email looks like, what an unsecured website looks like, and implications of sharing personal information on social media are all topics that can be addressed in a company-wide security program. Further, staff should understand how hackers work and what kinds of tactics they use to get information on a victim to exploit. Reports vary but a most recent article from ThreatPost notes that phishing attempts have doubled in 2018 with new scams on the rise every day.

But where and how should companies start building a security awareness program—not to mention a program that staff will actually take seriously and participate in?

We believe in the power of gamified learning to engage employees in cyber security best practices.

Our mobile app inCyt helps novice and non-technical professionals learn the ins and outs of cyber security from hacking methods to understanding cyber definitions. The game allows employees to play against one another in a healthy, yet competitive, manner. Players have digital “hackables” they have to protect in the game while trying to steal other player’s assets for vulnerabilities to exploit. The back and forth game play teaches learners how and why attacks occur in the first place and where vulnerabilities exist on a variety of digital networks.

By making the learning fun, it shifts the preconceived attitude of “have to do” to “want to do.” When an employee learns the fundamentals of cyber security not only are they empowering themselves to protect their own data, which translates into improved personal data cyber hygiene, but it also adds value for them as professionals. Companies are more confident when employees work with vigilance and security at the forefront.

Benefits of company-wide security awareness training

  • Lowers risk – Prevents an internal employee cyber mishap with proper education and training to inform daily activities.
  • Strengthens workforce – Existing security protocols are hardened to keep the entire staff aware of daily vulnerabilities and prevention.
  • Improved practices – Cultivate good cyber hygiene by growing cyber aptitude in a safe, virtual environment, instead of trial and error on workplace networks.

For more information about company-wide cyber learning, read about our award-winning mobile app inCyt.

Persistent (Not Periodic) Cyber Training

For cyber security professionals like network analysts, IT directors, CISOs, and incident responders, knowledge of the latest hacker methods and ways to protect and defend, govern, and mitigate threats is key. Today’s periodic training conducted at off-site training courses has and continues to be the option of choice—but the financial costs and time away from the frontlines makes it a less-than-fruitful ROI for leaders looking to harden their posture productively and efficiently.

Further, periodic cyber security training classes are often dull, static, PowerPoint-driven or prescriptive, step-by-step instructor-driven—meaning the material is often too outdates to be relevant to today’s threats—and the learning is passive. There’s minimal opportunity for hands-on learning to apply learned concepts in a virtualized, safe setting. These roadblocks make periodic learning ineffective and unfortunately companies are spending thousands of dollars every quarter or month to upskill professionals without knowing if it’s money well spent. That’s frustrating!

What if companies could track cyber team performance to identify gaps in security skills—and do so on emulated networks to enrich the learning experience?

We believe persistent training on a cyber range is the modern response for companies to better align with today’s evolving threats. Cyber ranges allow cyber teams to engage in skill building in a “safe” environment. Sophisticated ranges should be able to scale as companies grow in security posture too. Our Project Ares cyber learning platform helps professionals develop frontier learning capabilities on mirrored networks for a more authentic training experience. Running on Microsoft Azure, enterprise, government and academic IT teams can persistently training on their own networks safely using their own tools to “train as they would fight.”

Browser-based, Project Ares also allows professionals to train on their terms – wherever they are. Artificial intelligence via natural language processing and machine learning support players on the platform by acting as both automated adversaries to challenge trainees in skill, and as an in-game advisor to support trainee progression through a cyber exercise.

The gamified element of cyber training keeps professionals engaged while building skill. Digital badges, leaderboards, levels, and team-based mission scenarios build communicative skills, technical skills, and increase information retention in this active-learning model of training.

Benefits of persistent cyber training

Gamifying cyber training is the next evolution of learning for professionals who are either already in the field or curious to start a career in cyber security. The benefits are noteworthy:

  • Increased engagement, sense of control and self-efficacy
  • Adoption of new initiatives
  • Increased satisfaction with internal communication
  • Development of personal and organizational capabilities and resources
  • Increased personal satisfaction and employee retention
  • Enhanced productivity, monitoring and decision making

For more information about gamified cyber training, read about our award-winning platform Project Ares.

CISO Involvement in C-Suite Decision-Making

Communication processes between the C-suite and CISO need to be more transparent and frequent to achieve better alignment between cyber risk and business risk.

Many CISOs are currently challenged in reporting to the C-suite because of the very technical nature and reputation of cyber security. It’s often perceived as “too technical” for laymen, non-cyber professionals. However, it doesn’t have to be that way.

C-suite execs can understand their business’ cyber risks in the context of business risk to see how the two are inter-related and impact each other.

A CISO is typically concerned about the security of the business as a whole and if a breach occurs at the sake of a new product launch, service addition, or employee productivity, it’s his or her reputation on the line.

The CISO perspective is, if ever a company is deploying a new product or service, security should be involved from the get-go. Having CISOs brought into discussions about business initiatives early on is key to ensuring there are not security “add ons” brought in too late in the game. Also, actualizing the cost of a breach on the company in terms of dollar amounts can also capture the attention of the C-suite.

Furthermore, CISOs are measuring risk severity and breaking it down for the C-suite to help them understand the business value of cyber.  To achieve this alignment, CISOs are finding unique ways to do remediation or cyber security monitoring to reduce their workloads enough so they can prioritize communications with execs and keep all facets of the company safe from the employees it employs to the technologies it adopts to function.

Improving Cyber Security for the Future

Better communications between execs and security leaders, continual cyber training for teams, and company-wide cyber learning are a few suggestions we’ve talked about today to help companies reduce their cyber risk and harden their posture. We’ve said it before and we will say it again: cyber security is everyone’s responsibility. And evolving threats in the age of digital transformation mean that we are always susceptible to attacks regardless of how many firewalls we put up or encryption codes we embed.

If we have a computer, a phone, an electronic device that can exchange information in some way to other parties, we are vulnerable to cyber attacks. Every bit and byte of information exchanged on a company network is up for grabs for hackers and the more technical, business, and non-technical professionals come together to educate and empower themselves to improve cyber hygiene practices, the more prepared they and their company assets will be when a hacker comes knocking on their digital door.

Photo of computer by rawpixel.com from Pexels

Top 10 Cyber Myths

Reading Time: 1 minute

The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.

Oil and Gas Cyber Security: Understanding Risks, Consequences, and Proactive Measures

Reading Time: 4 minutes

The oil and gas sector is susceptible to security vulnerabilities as it adopts digital communication methods that help power energy production and distribution. To understand the cyber threats to the oil and gas industry, there exist approximately 1,793 natural gas-powered electricity plants in the U.S. and they generated 34% of the nation’s electricity in 2018. Much of how we live and work is dependent upon the energy produced from oil and gas production, including everyday cooking, heating/cooling, communication, and use of electronic devices and appliances. Therefore, even the smallest cyber attack on one of the thousands of interconnected and digital systems can pose a serious cyber risk to oil and gas production.

A company that goes through an attack can experience a plant shutdown, equipment damage, utility interruptions, production shutdown, inappropriate product quality, undetected spills, and safety measure violations—to name a few. Recently, 87% of surveyed oil and gas senior executives have reported being affected by cyber incidents in the past 12 months. Further, 46% of attacks in Operational Technology go undetected.

Cyber Attacks on Oil and Gas, Energy, Utilities Companies in History

Security threats to the oil and gas industry have already manifested across facilities worldwide with no signs of slowing down.

  • In 2010, Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, a person with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computers and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups.
  • In December 2018, Saipem fell victim to a cyber attack that hit servers based in the Middle East, India, Aberdeen and Italy.

These examples show other oil and gas companies the consequences that arise from insecure cyber environments, vulnerable systems, and cyber teams that lack the latest skills to stay ahead of attackers.

How Circadence Can Help

To manage security risks in the oil and gas sector while lessening the attack surface, cyber security teams need to be prepared to address all possible scenarios that can occur in order to effectively protect and defend infrastructures.

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own oil and gas networks to be most effective. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in the oil and gas industry. Further, targeted training can be achieved from the library of mission scenarios to work on specific skill sets.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kind of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close skills gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem-solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cybersecurity teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Users are the last line of defense against threat actors so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cybersecurity in oil and gas sectors.

This solution coupled with proper collaboration between IT and OT divisions to share real-time threat intelligence information will do wonders for companies looking to stay out of the negative news headlines and stay safe against an attack.

Download our Infographic “oil and gas cybersecurity” for more details on cyber readiness and training.

oil_gas_infographic

DOWNLOAD INFOGRAPHIC

Keeping Critical Infrastructure Strong and Secure

Reading Time: 2 minutes

November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to protect our Nation’s critical infrastructure.  Circadence’s mission is to build awareness about how next-generation cybersecurity education and training can improve cyber preparedness. This month is an excellent time to talk about that in relation to critical infrastructure.

“We are seeing government agencies and companies work to make systematic, holistic, and cultural changes through improved cybersecurity standards, best practices, processes, technology, and workforce,” said Josh Davis, Director of Channels. “The massive, distributed, and legacy infrastructure we have today demands a layered security approach that focuses on building a true understanding of what’s at risk within critical infrastructure systems —and that requires a targeted focus on the people who operate these systems both digitally and physically.”

We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the communication systems we rely on for business as well as staying connected to friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.

During November (and year-round), Circadence focuses on engaging and educating public and private sector partners to raise awareness about the security posture of the systems and resources that support our daily lives, underpin our society, and sustain our way of life. Safeguarding both the physical and cyber aspects of critical infrastructure is a national priority that requires public-private partnerships at all levels of government and industry.

Managing risks to critical infrastructure involves preparing for all hazards and reinforces the resilience of our assets and networks.

This November, help promote Critical Infrastructure Security and Resilience Month by:

Our virtualized cyber ranges-as-a-service (CyRaaSTM) provide public/private entities the opportunity to train in realistic cyber environments that mirror their actual interconnected, internet-of-things networks. These virtualized ranges can model the digital footprints of companies, agencies, entire city networks and even Nation State operation exercises, into living physical and fifth domain environments. Teams can collaborate and train together to test and improve their cyber skills in protected environments that can scale and flex as their organizations’ inter-connected structure does, but without impacting live systems and networks.

By combining Circadence’s Project Ares®, Orion Mission Builder™, and StrikeSet™, your organization can learn and grow without impacting your operations. This next-generation combination transforms traditional lecture-based learning, taking it out of the classroom and into interactive real-world environments, at any scale, anytime, anywhere.

We all need to play a role in keeping infrastructure strong, secure, and resilient. We can do our part at home, at work, and in our community by being vigilant, incorporating basic safety practices and cybersecurity behaviors into our daily routines, and making sure that if we see something, we say something by reporting suspicious activities to local law enforcement.

To learn more, visit www.dhs.gov/cisr-month.