Artificial intelligence (AI) will simultaneously exist as an offensive threat and a defensive asset in the realm of cyber security in 2019, according to Symantec.
The global cyber security giant has released its cyber security predictions for 2019 and beyond, detailing what it believes will be critical shifts in the new year.
Speaking in Sydney, Symantec’s Asia-Pacific CTO Nick Savvides detailed some of the cyber security trends which Symantec forecasts hitting individuals and businesses in 2019.
1. Attackers will exploit AI systems and use AI to aid assaults
“We started to see this in 2018; in 2019 this will become a very big thing,” said Savvides.
Spear fishing attacks – scams targeted at a specific individual – can now be completed by AI, meaning the volume of such attacks will explode.
“AI will be used to perform social engineering at scale.”
Additionally, AI technology can create and circulate fake videos to be used against a company.
Savvides spoke of the “fragility of AI” in the context of cyber security in terms of its ability to evade other systems.
“The whole purpose of an AI is to be able to make decisions,” he said.
“If I use an AI to attack another AI, in terms of corrupting its input, and using an AI to avoid another person’s AI, the strength of the AI that we’re using becomes fragile.
“You’re using a machine to try and learn how to avoid being detected by another machine, and the effectiveness of that machine’s ability to learn to avoid the other machine indicates fragility in the detection system.
“That’s going to be a phrase we hear a lot – AI fragility and the ability to corrupt it or evade it.”
He also predicted AI to be used to detect vulnerabilities within networks.
Symantec’s Asia-Pacific CTO Nick Savvides. Photo: supplied.
2. Defenders will depend increasingly on AI to counter attack and identify vulnerabilities
On the flipside, AI will assist in counter attacks as defenders stand better prepared.
Penetration testing – a costly and time-consuming process for businesses – can now essentially be automated.
“From a defender’s perspective, what we’re going to see is a lot more AI being used inside the organisation in a malicious way, impersonating an attack in order to discover vulnerabilities inside an enterprise’s system, Savvides said.
Additionally, machine learning techniques can now be used to identify new threats.
AI systems will also be able to advise consumers on their behaviour online and give guidance on appropriate cyber security measures, according to Savvides.
3. Attackers will increasingly capture data in transit
The way in which malicious attacks occur is also expected to change in 2019.
“You have a router at home – the idea here is that data is captured in transit and sent to the attacker – rather than compromising your computer and taking the files,” Savvides explained.
“They’re looking to exploit the data while it’s moving.”
He gave the example of the recent British Airways attack, where personally identifiable information was stolen “in transit” through a software supply attack.
It is Card Verification Value (CVV) numbers that have led to this style of attack, as this number is not stored.
“Attackers have to go for data in transit, so they can get to the data before it goes dark inside these databases.”
4. IoT-based events will move beyond massive DDoS assaults to new, more dangerous forms of attack
The growing number of devices being brought online will continue to provide attackers with an increasingly large avenue to exploit individuals and organisations, Savvides explained.
He predicted such attacks to be “weaponised” in 2019 in order to manipulate entire markets.
“Let’s say you want to manipulate the energy market, you can control half the smart-thermostats in the city and turn them off in the middle of winter. This can have a major impact on a physical environment,” he said.
“We’re going to see more interesting forms of attacks.”
5. Growing security and privacy concerns will drive increased legislative and regulatory activity
“I consider this year (2018) a transition year for GDPR, much like the privacy act here in Australia,” Savvides said.
With similar regulation now appearing right around the world, it won’t be long before companies are found to have breached privacy requirements.
“GDPR is coming for everyone,” he forecast.
“I think that early next year we’re going to see organisations penalised.”
However, there are still concerns over the potential harm of such laws.
“We’ve had a year of transition and there is far more activity in relation to this, and this is being held up as the gold standard,” he said.
“The problem with privacy regulations is that if they’re poorly framed, they may one, stifle innovation, and two, stifle collaboration.”