3 minute read
EXECUTIVE BIO
As the Director of Cyber Threat Research at ImmersiveLabs, I spend my time researching new and emerging threats and vulnerabilities. Then we create practical hands-on environments to test Red and Blue team skills against these threats.
Executive Bio
Advertisement
Steve Grobman
TITLE: CTO
COMPANY: MCAFEE
LOCATION: UNITED STATES a few categories that are popular, easy to use, and appear harmless. Although some malicious apps offer legitimate functionality, just because a free app works does not mean it lacks ulterior motives.
Senior vice president and chief technology officer at McAfee. Sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide. Leads McAfee’s development of next generation cyber-defense and data science technologies, and threat and vulnerability research.
“Our mobile devices are an essential part of our daily lives now more than ever. They allow us to access a wealth of information and entertainment and provide the freedom to be productive from almost anywhere,” says Steve Grobman, Chief Technology Officer, McAfee. “Unfortunately, they also provide cybercriminals with greater access to potential victims.”
Cybercriminals frequently employ encryption to conceal their malicious code from reviewers, or they insert a delay to prevent the app's malicious intent from appearing until after it has been published in the app store.
With OpenAI's AI image generator, DALL-E 2, a wave of AI-based mobile applications that create artistic images based on photos emerged. While some of these apps are genuine, others may be malicious apps seeking to exploit recent AI trends.
6.2% of threats that McAfee identified on Google during 2022 were in the
‘Communication’ category, mainly malware masquerading as SMS apps. But even legitimate communication apps can create an opportunity for scammers. They will use fraudulent messages to trick consumers into clicking on a malicious link, trying to get them to share login credentials, account numbers, or personal information.
Though these messages sometimes contain spelling or grammar errors, or use odd phrasing, the emergence of AI tools like ChatGPT can help scammers clean up their spelling and grammar mistakes, making it tougher to spot scam messages by mistakes in the content. The severity of these communication threats is also evident in the volume of adults (66%) who have been messaged by a stranger on social media, with 55% asked to transfer money.
A total of 23% of threats that McAfee identified were in the "Tools" app category. Work-related apps for mobile devices are great productivity boosters – categories like PDF editors, VPNs, messaging managers, document scanners, battery boosters, and memory cleaners.
These types of apps are targeted for malware because people expect the app to require permissions on their phones. Asking for permissions to storage, messaging, calendars, contacts, location, and even system settings is not unusual and enables scammers to retrieve all sorts of work-related information.
9% of threats that McAfee identified were games from app categories such as casual, arcade, and action. Malicious apps often target things that children and teens like, such as gaming, making videos, and managing social media. The most common types of threats detected within the gaming category in 2022 was aggressive adware – apps that display excessive advertisements while using the app and even when you're not using it.
Application Security 101 - What you need to know in 8 minutes
“It’s important to make sure that kids’ phones are either restricted from downloading new apps, or that they’re informed and capable of questioning suspicious apps and identifying fraudulent ones,” says McAfee.
The need for upskilling
To safeguard companies, application development teams need to upskill their people, prepare for rapidly evolving vulnerabilities, and prove their readiness to confront them.
“Despite the marketing hype, AppSec software and classroom-based training exercises alone fail to meet the mark,” comments Breen. “While AppSec software can provide a first line of defence, it can’t measure preparedness. Likewise, making teams take online cyber-security quizzes or get a one-time certificate is woefully inadequate for developing the skills necessary to thwart emerging threats.
“Today, a new people-centric approach to team learning and preparedness called Cyber Workforce Resilience is paving the way for better security. The future of AppSec will include sophisticated tools that simulate real-world threat situations, allow teams to practise effective security protocols without fear of breaking their code, and help enterprises benchmark capabilities across the entire SDLC.”
As Breen concludes, cyber resilience for organisations will increasingly be expanded to the entire workforce. “Savvy enterprises are already implementing such tools to protect their end-users, reputations, and revenues,” he says, “while proving their preparedness to senior leadership teams and their boards.”
