Published on: August 16, 2024
Whatever you know about protecting your online privacy, cybercriminals probably know that too and are already finding new ways to breach your defenses and steal your sensitive data.
It’s hard for everyday people like me and you to always be on top of threats, vulnerabilities, emerging trends, and overly-complex cybersecurity concepts without going nuts. Not to mention the hidden truths no one talks about…
In this new interview series by Safety Detectives, I am talking to cybersecurity experts and business leaders who share untold truths and actionable insights from their experience that will help you be more aware and more effective in protecting your sensitive data while keeping your sanity.
Jim Manico is a sought-after speaker and educator in the cybersecurity community. He founded Manicode Security to educate developers about secure coding techniques, and has been actively involved in various advisory roles for multiple companies, including KSOC, Nucleus Security, and 10Security. His extensive experience includes executive positions at WhiteHat Security and co-founding Brakeman Security, Inc. He also authored “Iron-Clad Java: Building Secure Web Applications,” and has been recognized as Java Champion and Java “rockstar” Speaker.
What inspired you to pursue a career in cybersecurity? Can you share the story with us?
I have been a professional software developer since the late 90’s. I was living on Kauai almost 20 years ago when I met Stephen Northcutt. Stephen convinced me to work for him at SANS and took me away from the world of software development and welcomed me into the world of Cybersecurity. Soon after that I began volunteering for OWASP which was one of the biggest communities of application security professionals in the world.
There were many security communities 15 years ago, but very few groups of software and application security experts. OWASP has been my “application security home” and still is. I am very grateful for Stephen and the OWASP community for helping me migrate into the world of application security.
What are the most overlooked cyber threats that you see affecting end users in your industry? What makes threats particularly concerning?
AI is making voice verification in helpdesk systems obsolete. I think the era of voice verification is over. It’s way too easy for even low resourced threat agents to use AI to bypass voice verification systems.
Traditional voice authentication systems rely on unique vocal characteristics to verify identity, but AI is now able to replicate these characteristics. Just to give an example of how easily AI can trick voice authentication, Joseph Cox managed to access his bank account at Lloyds Bank using an AI-generated replica of his own voice. He just had to play a few audio clips with his duplicated voice to dodge the bank’s voice ID system.
📈 Data Speaks
Synthetic voice fraud is becoming increasingly problematic for financial institutions, driven by advancements in AI and deepfake technologies:
- A report from Pindrop indicates that 67% of respondents in the banking and finance sector are concerned by the ease with which fraudsters can impersonate clients, particularly in high-stakes environments like wealth management.
- According to a BioCatch survey, 72% of financial institutions are facing synthetic identity frauds during client onboarding, and 91% of US banks are reconsidering the effectiveness of voice verification systems.
Sources:
https://www.vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice
https://www.emergingtechbrew.com/stories/2024/06/04/pindrop-report-deepfakes-financial-institutions
https://www.biocatch.com/ai-fraud-financial-crime-survey
What are the best ways to prevent and react to these threats?
Organizations should STOP using voice verification. Stop giving helpdesk professionals universal access to customer records. Force incoming helpdesk customers to go through some form of multi factor authentication that the helpdesk agent needs to use to get access to that customers records. This requires a fairly large re-thinking and re-engineering of helpdesk software.
What you as a user can do right now to prevent voice frauds:
- Demand that banks and financial institutions use multi-factor authentication (MFA) beyond just voice.
- Choose a passphrase or a security question that only you and your trusted contacts will know. Use it to verify the identity of anyone requesting your sensitive information or money transfers.
- If you receive a suspicious call, hang up and call back using a number you know is legitimate.
- Ask questions that only the real person would be able to answer correctly.
- Whenever possible, avoid posting audio recordings on socials. Scammers can use these to clone your voice.
- Inform authorities or cybersecurity professionals to report any suspicious activity
What are some things that people should STOP doing today because it’s damaging the safety of their data, and they don’t realize it?
Allowing back-end web services to have minimal security needs to stop. Most web services, even ones that are not user-facing, should have HTTPS, session management and access control. Many applications use API’s on the backend with minimal security which rely on antiquated network security practices. Consider mutual TLS, strong session management and detailed access control for every web service!
92% of organizations surveyed last year in the API Security Data in New Report have experienced an API-related security incident, of which 57% suffered multiple incidents.
What are some things that people should START doing today that they’re currently not doing to protect their information?
I suggest that all companies with software developers train them early on secure coding practices. I would consider doing this on a yearly basis and rotate your training vendors to get different perspectives. It’s brutally hard to author secure software. Developer education is a crucial first step.
Manicode’s courses combine lectures with live security testing demonstrations and code reviews. THis allows developers to actively engage with the material rather than just passively consuming it. The curriculum includes all the essentials of application security like SQL injection, cross-site scripting (XSS), secure SDLC, and mobile security, but it can be tailored to specific subjects such as authentication, session management, and API security based on anyone’s needs.
What common cybersecurity beliefs and practices do you passionately disagree with? Why?
Web Application Firewalls (WAFs) are common in modern cybersecurity defenses, designed to filter and monitor HTTP traffic between a web application and the Internet. They are built to protect web applications from common attacks such as SQL injection, cross-site scripting (XSS), and the other OWASP Top 10 threats. However, there is a trend where organizations overly rely on WAFs as their only line of defense when it comes to protecting software. T
Over-reliance on WAFscan lead to a false sense of security and significant vulnerabilities. Here’s why:
1. WAFs Are Not a Substitute for Secure Coding
A WAF can detect and block malicious inputs, but it cannot fix the underlying vulnerabilities in your code.
2. WAFs Can Be Bypassed
Advanced attackers continually evolve their techniques to bypass WAF protections. The SSRF attack against Capital One famously bypassed Amazon’s WAF.
3. Performance and Scalability Issues
WAFs can introduce latency and affect the performance of web applications, particularly in high-traffic environments.
4. False Sense of Security
One of the most dangerous outcomes of over-relying on WAFs is the false sense of security they create. Believing that a WAF alone can protect against all web application attacks can lead to complacency in other areas of application security.
What other gaps do you see in the current state of cybersecurity awareness available? What can be done to improve that?
May software developers wait to learn about detailed application security until late in the software development process. The push to “shift left” in AppSec is all about addressing security very early in the software lifecycle. Having your developers trained in AppSec early, doing threat modeling early and setting up an automated software security testing framework early are all helpful ways to ensure that your team has a chance of deploying secure software.
From my experience all software developers are now security engineers whether they know it, admit to it or do it. Your code is now the security of the org you work for.
What emerging technologies, trends and new threats do you believe will have a great impact in the next 5-10 years? How do you plan to adapt to these changes?
AI is going to give attackers incredibly sophisticated offensive capabilities. This is such a significant emerging threat that the US Government called in out in the September 2023 presidential order on AI as a major risk to critical infrastructure. As a developer, we need to use AI for defensive purposes to counter this emerging threat. AI can be used for all things AppSec. Reviewing code, building secure code, creating next generation software firewalls, and much more.
How can our readers follow your work?
Website: https://manicode.com
LinkedIn: https://www.linkedin.com/in/jmanico/
X: https://x.com/manicode