The Cyber Threat landscape in 2023
The digital world is complex and cyber threats appear to be around every corner. What we need to do however is look at how we can enable people and keep them safe from common (realistic) threats that they will almost certainly face (rather than saying everything is a risk!), The intent of this post is to tackle key common threats, risks and vulnerabilities (and countermeasures). It is high level, it is a generic and general, it is not a bespoke tailored guide for each person. It does not cover every single risk scenario someone may face, it simply looks at what I think people may want to focus on (given what I see). (I’m having to caveat this loads to try and stop the tin foil hat loonies making a scene about edge cases I haven’t covered)
Common Cyber Threats
This list is not every possibly attack that could or may occur, but it’s a view on common threats that most people may face:
- Scammers/Fraudsters – they are trying to get your money!
- Internet based authentication attacks (stolen credential use)
- Phishing – of all forms, via email, SMS, WhatsApp message etc.)
- Malvertising (Malware delivered via adverts)
- Backdoored Apps
- Device loss/Device Theft
- Device Theft + Bank Drains (targeted, typically to high net worth)
- Car theft/Car belonging theft, via contactless key amplification and redirection attacks.
What are the criminals trying to get?
This is a typical view, clearly the world is varied but largely what I see in the cyber crime space is people trying to get financial benefit!
- Credentials/Account Access
- Malware on your devices
- They are also trying to use your accounts to spread (be that via emails or social media etc)
What are they generally not trying to do?
High-cost investment digital crimes using close physical proximity where the access requirements are high cost, the level of surveillance (active or passive) are high and where they have a low probability of success.
Most digital crimes I see are conducted via the internet, not via proximity attacks. That isn’t saying proximity attacks don’t occur, they do. They are typically device theft (mobiles) and they sometimes involve attempts to drain bank accounts.
- Weak passwords/Re-used passwords
- Lack of Multi factor authentication
- Unpatched software
- Device (Mobile (android/iOS/PC/MAC)
- Web Browsers
- Out of date antivirus software
- Malicious applications (I believe this to be largely more prevalent on the play store vs apple store)
- Weak mobile device security e.g., no PIN or simple PIN
- Lack of backups or backups that can be easily compromised (e.g., online backups)
- Car keys left by the front door.
I want to talk about phishing, you will see here I haven’t said: “do not click on dodgy links”, I haven’t said this because I don’t believe me saying this works. It’s not just me that says this, the UK NCSC do as well:
What I will say is I think people should be mindful of the activities they are conducting in cyber space. They should of course deploy controls, and of course they should use common sense (which is never common). There’s some guidance on phishing from NCSC here:
I don’t want to give people a list of 1000 things they need to do. I want to talk about the most important ones (when we are talking in a broad sense to a wide audience without context). Clearly each person’s scenario is unique to them, and they should consider all the details, however if I had to abstract and generalise, I would say:
- Set strong and unique (pass phrases) passwords.
- Use a password manager if you can this makes the process far simpler.
- Enable multi factor authentication.
- Ensure your device and apps are set to automatically update.
- Ensure you have antivirus/antimalware services enabled and up to date.
- Ensure you have strong controls to protect mobile devices.
- Ensure your important and sensitive information is backed up.
- Enable key device safety features such as find my device, remote lock/wipe etc.
- Put your car keys (if they are contactless entry/start) in a safe place away from the front door, ideally inside a container that shields them from amplification and reflection attacks.
- Speak to your bank about how to protect your financial assets. you may want to deploy a multi account scenario or spread money between different banks.
There’s a phrase I think people might find some use from:
“Criminals don’t hack in, they log in!”lots of people who work in cyber security
Digital risk is a vast and deep subject, and I can by no means threat model and design a cyber defence plan for the world that meets everyones unique requirements. I can however use science, data, and experience to consider the likely threats and countermeasures. There’s loads more tips like ensuring you have a secure configuration, having incident plans, using web content filtering etc. but honestly, I look at howe bad passwords are (from when I do password audits) and I want to focus on some of the key areas I see!If you are a high net worth individual, you may face significantly different threats than if you are not. The same applies if you have a sensitive job. Your geographic location and circumstances may also change your landscape.
The key thing here is, you need to think about, your devices, services, and what scenarios you need to defend against. If this blog does nothing except makes you not have weak and re-used passwords then it will have improved the world a little, if it makes you enable MFA that’s even better! Security improvement is a journey, every step we take is better than accepting the status quo! Digital Security isn’t about perfection, it’s about keeping you reasonable safe against a massive array of scenarios and threats.
and if you want somewhere else to go, please head to the UK NSCSC guidance for individuals: