2025 Public Sector Perspectives

One broken identity link in the chain enables a device to be ported through a telecommunication company’s help desk, which is exactly what the threat actor wants in this new attack. By creating an additional identity factor breach, the device identity is compromised which starts a domino effect across the vulnerability landscape. This can have profound consequences for an individual who has synced account authentication steps to that compromised device. With SIM swapping, the usually reliable device identity, and its role in the multifactor identity world, will have to be carefully monitored if not modified. Adversaries are targeting cloud secret code managers, changing administrator policies, and then adding an access key to block and takeover a target’s personal accounts. Financial institutions must prioritize broad-based identity protection like never before. Sign seven: Supply chain and network vulnerabilities This has been the year of supply chain vendor attacks, having seen a sharp increase in the exploitation of trusted software and software vendors at pace with the rapid expansion and increased interconnectedness of global supply chains. Oftentimes, third-party vendors are vulnerable because they tend to use off-the-shelf components, third-party application programming interfaces (APIs), open-source code, and multiparty proprietary code. As the supply chain expands the threat expands exponentially. Another vulnerability in the supply chain is network peripheral devices. Cybercriminals are targeting back- up storage, virtual private networks, firewalls, and mobile phones, which are easier to breach than a managed laptop or workstation. For example, in 2023 there was a 50% increase in zero-days exploits in-the-wild 1 and 1,500 more common vulnerabilities and exposures disclosed compared to 2022. 2 There was 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a data breach, almost tripling the numbers observed in 2022. 3 Cybercriminals also setup URLs that are easy to confuse with legitimate ones to create covert watering holes for high-tech eavesdropping on poorly protected Wi-Fi hotspot hubs in airports and hotels, making these sites extraordinarily attractive to cybercriminals. It is critical for us to prioritize finding secure solutions to unmanned networks and internet exposed services. Sign eight: The new “cyber everything-as-a-service” model Trendy new business models are being developed and deployed without strenuous security and vulnerability testing, which is propagating a ransomware as a service impact when developers sell ransomware code or malware to other hackers or “affiliates,” who then use the code to initiate their own attacks. These ‘name and shame models’ are popular with cybercriminals, allowing them to capitalize on the stigma of being breached. Regulatory disclosure measures have been taken with public companies being required to disclose material cyberattacks to the Securities and Exchange Commission (SEC) within four business days of the incident. Sign nine: Damned if you do, and regulatory disclosure consequences if you don’t Given the breadth of ransomware acceleration, and the pace and scale of the use of name and shame tactics, U.S. and other regulators are intensifying their disclosure requirements, such as reducing the window of time firms have to disclose a breach. Although regulatory entities might perceive reporting details of an attack within four days as beneficial to the market, it can place another target on a victim’s back who has not fully recovered from the initial vulnerability. In a world where AI expedites advanced malware generation, efficiency of research, and adversarial operations, exploited institutions have less time to respond, patch vulnerabilities and prepare for disclosure. 1 https://blog.google/technology/safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023 2 https://www.infosecurity-magazine.com/news/2023-26000-vulnerabilities-97/ 3 https://sentrybay.com/180-surge-in-vulnerability-exploitation-threatens-cybersecurity Adversaries are targeting cloud secret code managers, changing administrator policies, and then adding an access key to block and takeover a target’s personal accounts. Financial institutions must prioritize broad- based identity protection like never before. Citi Perspectives for the Public Sector 33