A decade or so ago, security was much simpler (even if it didn't feel that way at the time). Back then, security largely revolved around the network perimeter — essentially your organization's four walls. The idea was that if you could keep the bad actors out and keep your data in, then you were doing a good job. I'm oversimplifying things, of course, but that was more or less the mindset of the time.
Seemingly overnight however, the network perimeter completely evaporated. Applications were moved to the cloud, users began working from untrusted personal devices, and work from home became a requirement. In the absence of a traditional network perimeter, the new security mantra became "identity is the new perimeter." It essentially meant that since defending the network perimeter was no longer an option, then the best way to maintain security was to focus on identity management — and that is especially the case with metaverse cybersecurity.
Building security models around identity management means a lot more than just making sure that users have secure passwords. It also means guarding against impersonation.
Impersonation takes on many forms, and it has become a major problem in recent years. Think about how many stories you have heard about a user who clicked on a malicious link in an email message that they thought was from a trusted coworker. Never mind all of the social engineering attacks that are targeted toward corporate help desks.
Cybercriminals Embrace New Trends — and That Will Include the Metaverse
One of the things that I have always noticed about cybercriminals is that while they often stick to what works, they are very quick to embrace new trends — both in technology and in culture. Let me give you an example.
Phishing attacks have been around for years, and while the message may change, the basic anatomy of such an attack really doesn't evolve that much from one year to the next. So with that in mind, think back a couple of years to the time when COVID-19 first started to become a major problem. Almost immediately, cybercriminals began creating phishing campaigns revolving around messages pertaining to COVID-19 relief funding, the Paycheck Protection Act, and things like that. Because these and other programs were still new, cybercriminals exploited the fact that most people didn't fully understand them yet. The cybercriminals also knew that such programs would generate a lot of interest and therefore sought to capitalize on that interest.
In other words, cybercriminals like to base their scams around things that are new and popular, and will often resort to impersonating a person, company, or government agency as a way of tricking potential victims. Such behaviors are likely to continue as the metaverse begins to become a mainstream technology. Cybercriminals will inevitably create attacks exploiting the idea that most people are still new to the metaverse and are therefore unlikely to recognize a carefully crafted attack.
Metaverse Cybersecurity: What Kinds of Attacks to Expect
So what might such an attack look like? The true nature of attacks in the metaverse remains to be seen, but I suspect that those attacks will be derived from techniques that cybercriminals are already using. Impersonation seems like an obvious choice.
The very nature of the metaverse makes it a social environment. When you encounter another person, you don't actually see them, but rather a 3D avatar that is meant to represent that person. How hard would it be for a cybercriminal to reproduce an avatar and use it to trick people into thinking that they are someone else?
It seems like a given that impersonation will be a big problem in the public metaverse and that the social networking companies will eventually have to come up with a way of positively identifying a metaverse participant. However, impersonation will be far more dangerous in the private metaverse.
Imagine for a moment that an organization has its own private metaverse, or private rooms in the public metaverse. Over time, the users in that organization become comfortable interacting with one another in this environment to the point where they can look at an avatar and know who that avatar represents. Now suppose that this private environment is infiltrated by a cybercriminal who is able to clone a trusted user's avatar. If the attacker impersonates someone from IT, that person might go around telling everyone to install an "update" onto their computers. If the attacker impersonates the CFO, then they might begin asking staff members to process shady bitcoin payments.
Conclusion
The idea that identity is the new perimeter is more than just a security catchphrase. It points to the idea that impersonation could become a huge problem in the universe and that users will need to be trained in how to avoid metaverse-based social engineering attacks.
