How To Secure A Metaverse

The Metaverse is an exciting concept with seemingly endless possibilities. Before enjoying and building this virtual realm, it is critical that we learn from our past and begin with solid privacy and cybersecurity strategies. The following piece from Ntirety CEO Emil Sayegh was originally published in Forbes, and it details security steps that Meta can take. 

 

How To Secure A Metaverse 

Many are wondering about the metaverse and speculating whether it is a hard trend or a soft trend. Questions abound — what it will look like, what will its impact on us be, and how will it interact with our daily lives. At the root of the metaverse concept, physical boundaries will cease to be a limitation of how we engage with others, engage with businesses, and how we consume information. We are opening ourselves up to exposure by novel digital means to a world that will expand without limits. 

For many, the biggest concerns about the metaverse are the aspects of privacy and cybersecurity. As we embark upon this new age of digital exploration, it is critical to structure this world of virtual engagement with secure concepts, grounded principles, and privacy based technologies. We have a lot of work ahead of us to map out the principles of how the real world interacts with this virtual future. 

Rebuilding a (Mostly) Secure World 

The web today has evolved greatly from its earliest days of uncharted freedom and dial-up bound technologies. It didn’t take long, however, before malicious actors, trolls, bots, nation-states, and permutations of digital anomalies changed the game. This landscape of threats and vulnerabilities especially matured as commerce, finance, and general businesses came to adopt web-based technologies. 

We are going to have to re-envision many things all over again, including things we don’t really think about frequently anymore. Definitions, rights, laws and regulations, and our collective perspectives will all have to be re-engaged quickly as the metaverse arrives and builds out. For example, in the metaverse, legal jurisdictions and boundaries have no practical definition yet. This is a challenge we collectively worked through on cyber and web activities two decades ago, and now we get to do it all over again. 

The Foundations of Secure Metaverse 

Very few people like overreach and overregulation by governments. To avoid having regulators come down on the web3 community like a ton of bricks, we must build security considerations into the metaverse from day one. While we must preserve the user experience within the metaverse, we need to simultaneously protect individuals and businesses while also growing usage. It’s a complex balance, and the time to get started on this is now. 

Consider the fact that the metaverse will be filled with massive troves of data, exchangeable at light speed, and much of it is highly sensitive. Some of it will involve young adults, and even children, as those will be likely early adopters. We must expect that these data will be a target of opportunistic technological and social hacks. The impact on data privacy cannot be underestimated and significant focus must be placed on the tools we have to protect privacy. 

In non-chronological order we must: 

  • Define rights in the metaverse
  • Create and enforce data accountability and data protection responsibilities
  • Create a rating mechanism for age-appropriate access and use
  • Protect against malware
  • Provide awareness of cyber threats
  • Sustain audit capabilities
  • Reinforce identity and validation standards

There is enough depth of subject there to write a book (if not several) on these topics. However, the subject of identity is the most intriguing, so let us dive in. 

Identity and Blockchain Security 

We must consider how people will be able to identify themselves in the metaverse. We must consider how individuals will come to trust and know that the person or business they are interacting with is really who they say they are. Currently, the strongest anticipated solution will rely on blockchain-based mechanisms to verify identity. 

While there are obvious opportunities associated with blockchain implementation, it is notable that vulnerabilities are a possibility. Various non-fungible token (NFT) scams have already been noted, and the decentralized nature of the blockchain brings considerable concern that criminally-gained assets such as tokens, identities and transactions will not be recoverable in absence of authoritative controls,. 

Efforts to implement biometric identification such as fingerprints or facial recognition will also be required. Whatever the ultimate composition of these solutions, they all need to be secure and reliable. 

A New World of Attacks 

Before long, metaverse attackers and bots can and will come from anywhere and they will do so around the clock. Naturally, metaverse networks will have to be secure, but we must enforce security by building continuous awareness into these networks. Along with strong passwords, multi-factor authentication, advanced firewalls, and advanced threat detection technologies, we will need to implement visibility and analysis throughout the fabric of the metaverse to detect anomalies, uncover activities, and maintain experiences for all. Data will have to be encrypted and password-protected whether it is in transit or at rest. 

We will also need to keep watch for phishing, malicious URLs, and similar types of online attacks. Some of these attacks will probably not have a definition yet because they don’t exist yet. In addition to the gallery of hacking, malware, ransomware, and phishing tricks of the trade, entirely new tactics will emerge to focus on the bleeding edge of NFTs, exchanges, and cryptocurrencies. We will need a way to report and distribute the information of how these attacks came to pass. 

Making a Better Metaverse 

What we all love about the internet is the ability to get information, make exchanges, and free speech. What we need from the internet is the assurance that it is all as secure as possible, age appropriate, and that we maintain privacy. As the metaverse arrives and evolves, it will require a balanced approach to ensure the best experience for all. The metaverse must capture holistic, principle-focused protections, including awareness, technological methods, and behavior-modeling. The metaverse is part of our collective futures, but it needs to incorporate what we have learned in the past twenty years to not make the same mistakes. The foundational cybersecurity challenges ahead of us are clear, and we must act on those right now to allow the metaverse to prosper. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

Is the metaverse safe?

An immersive new virtual realm is an exciting undertaking, but without a properly executed security plan, things could go terribly wrong. Read this piece from Ntirety CEO Emil Sayegh, originally published in Forbes, for insights on security concerns with the all-new Metaverse. 

Is the metaverse safe? 

If it isn’t clear by now, it will be soon: the metaverse is coming. While still only a concept, all this talk about virtual worlds, brain chips, tactile interfaces and artificial intelligence (AI) can only mean these technologies will soon come together. Many folks will get wrapped up in this merger of the virtual world with the physical world once the metaverse fully arrives. Unfortunately, anytime new and exciting technologies emerge, cybersecurity is often an afterthought. Cybersecurity will be the Achilles heel of the metaverse. Without a total base-level security build, the entire metaverse will face significant issues that could take years to unravel. 

Welcome to the unsafe metaverse 

The first known mention of a metaverse came about in science fiction back in the 1990s. More recently, Facebook stepped in and transformed itself (and its name) towards a new concept of a personal, customized, and interactive virtual world that it is building while burning $500 billion of market cap in the process.  

Unmute 

By most definitions, however, the metaverse will be a place where physical meets virtual and boundaries between the two become increasingly faint. It will eventually incorporate our world of work, our friendships, where we shop, how we spend our free time, what we eat, how we learn, and countless other applications. The metaverse will have access to our most private information and habits. As people begin to live in these virtual worlds, the metaverse will be able to learn a lot about us, others, and things we would barely consider today.  

If the metaverse is an inevitability, then it is our moral obligation to build one that is safe, private and secure. With the advent of the metaverse, we are going to have to rebuild, redefine and relearn so many things we take for granted in the “real world.” 

What does it mean when you close and lock your front door? Or how about your call screening? How do the security protocols in your life look when you are at home versus how they come in when you are in a public place? How do you know who you are talking to?  The metaverse has so many unknowns that it just cannot possibly be considered safe, by any standards.  

The wild west of the metaverse  

Cue the image of Clint Eastwood for this — at this moment, the metaverse is the wild, wild West. A lawless land that few dare venture into — but just like the old west, some people are ready for the metaverse. Instead of old-fashioned bandits and outlaws, they’re called hackers, scammers and various other names.  

Nefarious types historically gravitate to new technologies in search of opportunities. Already, there are reports of scams in NFT transactions, fraud in Ethereum addresses, and several other types of abuse. Now please remember, all Facebook did was change their name to Meta.      

Where was their plan and commitment to privacy, security or mental health of the users? Crypto, NFTs and smart contracts will undoubtedly be a fundamental part of the metaverse construct. Cyberbullying, doxing, ransom scams and other familiar schemes will also swiftly make their way over to the metaverse and they will be there early. Criminals are attracted to an environment where rules don’t exist, and victims have limited rights. 

One of the biggest risks in the metaverse will be data security and privacy. Before the metaverse, layers of abstraction existed, thanks to the physical world and our carefully balanced engagement through smartphones, computer systems, and apps. In the metaverse, significant engagement will run through artificial and virtual reality systems, creating a nexus point of data that is ripe for targeting. Data collection alone is cause for significant concern, with biometric, behavior, financial, profile information and troves of additional personal information built in.   

Garbage in, garbage out 

If you have been in information technology long enough, you are familiar with the phrase garbage in, garbage out. It’s a bad way of doing things and before we start packing up and moving to the metaverse we must make sure we will be ready for things such as:  

  •       Social engineering. As we’ve seen in corporate and individual scenarios, social engineering can lead to a massive loss of data, loss of access, and have financial implications. This is among the primary vectors for data breaches.  
  •     Blockchain security. Blockchain itself is strong on the validation of transactions and data. However, the integration of blockchain is an additional concern that bears scrutiny. For example, with just a bit of misdirection, an infiltrator can stage the interception and ownership of data. The network, identification, validation, and supporting DNS structures are examples of technical elements that must be secured. 
  •     Privacy concerns. The issues that plague us on the web and in databases everywhere will plague us in the virtual world. Data collection, retention, and sharing are just some of the examples that require definition, the establishment of individual rights, and regulation. 
  •       Digital boundaries. Users must maintain their rights of privacy and engagement with others. This matter could be complicated by the fact that there are no countries in the metaverse and no corresponding jurisdictions now. 
  •       Security on data transactions. From purchases to smart contracts, a binding construct will drive the exchange of data. The security of these transactions is critical to the success of the metaverse. Time will tell the extent of how general transactions may be regulated, taxed, and reported. 
  •       Identity of users. We are, in the physical world, what we are. Our being is tangible. One of the things that will have to be determined is what happens when an exact copy of your digital self is created or restored from a backup. If there’s a conflict, what version should continue to exist? What if a corrupted or erroneous copy comes into existence? What if that copy is intentionally modified or unintentionally wiped out?  
  •       Identity of others. Metaverse existence begins with avatars, a visual and perhaps audio-based representation of whatever that opposing creator put together. That user’s identity is questionable until you can confirm who they are in some real-world way that you trust. What about the inevitable presence of bots as we saw in the “meme stock” sagas? Are they friendly bots? Will you even know when you are engaging one? 

Concerns unchecked 

Let us not spoil what the metaverse can be by leaving these security and privacy concerns unchecked. Let us minimize, and hopefully avoid, the deafening noise and infiltration of non-human influence found on social media channels and online forums. The best metaverse is a genuine metaverse forum for humans void of bots and hackers.   

The metaverse is a concept that is launching lots of discussions and it is a likely part of our collective futures, but it needs to be a force for good. For now, the concept is vague, but the cybersecurity challenges ahead of us are clear, and we can act on those right now. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.