How to Tackle Cyberthreats in the Metaverse

The metaverse is a new reality and a platform that brings both opportunities and challenges. Today's cybersecurity threats are likely to persist in this new era, presenting a multivalent and challenging threat landscape, which will in turn require robust and innovative security solutions.

To develop security solutions tailored to threats arising from metaverse ecosystems, organizations must work with their IT leaders, CISOs, and CIOs to continuously develop new security strategies and identify the current threat landscape.

Padraic O'Reilly, co-founder of risk management firm CyberSaint, says the metaverse could be exploited in similar ways that security leaders already see the internet being exploited, but in three dimensions, essentially.

This ranges from spoofing, phishing, and identity fraud to malware, ransomware, social media abuse, and watering hole attacks.

“Consider how many virtual storefronts or experiences could be spun up, how many new form-field entries, how many bad URLs there are,” he says. “Conceivably, if the metaverse is avatar-driven, there might even be a kind of kidnapping in play, or a kind of doppelgänger spawning; stealing identity takes on a whole new meaning, really.”

New Level of Anonymity

Cory Cline, senior cybersecurity consultant at nVisium, an application security provider, points out the metaverse offers a new level of anonymity to individuals interacting with each other.

“This is not a new issue to the metaverse, as people have dealt with conversational integrity since the dawn of social interaction on the internet,” he says.

However, with more and more social and workplace interaction taking place in places known as a metaverse, there is a new level of awareness required to ensure you are actually speaking with the individual you think you are speaking with.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, agrees, noting almost all cybersecurity threats start or are furthered by deception of an individual.

“Ultimately, I think most crime on the metaverse will surround deception towards individuals,” he says. “Romance scams entail huge financial losses but are almost completely disregarded when companies consider cybersecurity risks.”

He explains for most social media companies, ensuring that individuals truly exist (i.e. are not bots) and authentic (i.e. not scammers running 20 accounts) will remain a problem.

“Social media companies aren’t very far in dealing with this problem as the news around bot usage of Twitter attests,” Bambenek says. “This problem will only expand unabated into the metaverse.”

Zero-Trust Architecture Needed

O'Reilly says zero-trust architecture and more legal protections are required to ensure the security of experiences and transactions in the metaverse.

From his viewpoint, blockchain technology is too authority-averse, and without a central authority backing the purported ironclad data integrity of the blockchain, it will remain vulnerable.

“Security ratings companies, like we have for third-party risk now, will be important for individuals in the metaverse,” he adds. “Security policy, if there is no central authority, will vary from party to party. This is analogous to what I see in risk management, a serious range of maturities with respect to policies and procedures.”

He thinks there won't be one monolithic “security policy” but rather the large content providers will likely establish and advertise their approach -- which means overall security is likely to be patchy.

Bambenek notes that to the extent large tech companies even consider risks of emerging technologies, the risks they consider are risks to themselves, often not their users.

“The pattern of large enterprises simply outsourcing their risks to their userbase will continue for the foreseeable future,” he says.

Cline adds with metaverse concepts being powered by NFTs and blockchain technology, there is likely to be an increase in associated “pump and dump” schemes intended to funnel money from unsuspecting users.

“Additionally, there is the risk of various phishing campaigns being executed in a more open environment,” he says. “After all, most people expect to see a cartoon character speaking to them in a metaverse; possibly in a modified voice.”

This means threat actors may not need to implement complex deep-fake phishing exercises when all they need is a close-ish username, avatar, and voice to match a target.

Furthermore, employers must be savvy when interviewing in the metaverse due to the possibility of prospective employees sending a “stand-in” for interviews.

“In general, fraud may become more rampant in the new environment,” Cline warns.

Security Focus Should Be on Individuals

Bambenek says ultimately, no cybersecurity problem will ever really be solved until we can protect the individual outside the umbrella of a corporate security program.

“There needs to be entities that are working to make individuals safe as they use social media companies or there needs to be effective laws and regulations on technology companies requiring them to make safe environments,” he says.

O'Reilly says if the metaverse is to live up to even a portion of its hype, security will have to be baked in from the start.

“That is, it should be part of the conception, as we see with best practice software development lifecycles,” he explains. “There should be a kind of cyber charter from the largest participants that stresses transparency, and laws for individuals. Cyber is everyone's responsibility in the future.”

What to Read Next:

Understanding Metaverse’s Potential Business Opportunities

How Executives Are Investing Now in the Metaverse’s Future