Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks
from the so-why-do-we-need-information-sharing? dept
To hear politicians and the media talk about things, “cybersecurity” threats are some sort of existential threat that can only be stopped by giving the government more information and more control over our data. There is, of course, little to actually support that notion. And, two new studies show that (as has been the case for decades), the real threats are not because of super sophisticated technology and tools for hacking, but rather because end users are fallible and IT folks don’t do a very good job locking doors (hat tip: WarOnPrivacy):
But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.
In fact, the real problem tends to be that people are still easily fooled by phishing emails:
In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry’s term for trick emails.
Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.
And, then, of course, if the IT staff hasn’t done much to secure things inside the gates, the hackers get the run of the place.
Stopping phishing is definitely a difficult problem, but it’s difficult to see how that’s one that’s solved by giving the NSA more of our data. Of course, none of this should be new or surprising if you spend any time at all in online security realms. “Social engineering” has always been the most effective way to get into systems. But hyping up the fact that people are gullible and can be tricked into giving up their passwords isn’t very sexy and doesn’t get big companies and governments to shovel hundreds of millions of dollars at solutions. Freaking people out about sophisticated technology (that isn’t nearly as effective) being used to launch hack attacks seems much sexier (and profitable).