Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks
from the so-why-do-we-need-information-sharing? dept
To hear politicians and the media talk about things, “cybersecurity” threats are some sort of existential threat that can only be stopped by giving the government more information and more control over our data. There is, of course, little to actually support that notion. And, two new studies show that (as has been the case for decades), the real threats are not because of super sophisticated technology and tools for hacking, but rather because end users are fallible and IT folks don’t do a very good job locking doors (hat tip: WarOnPrivacy):
But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.
In fact, the real problem tends to be that people are still easily fooled by phishing emails:
In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry’s term for trick emails.
Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.
And, then, of course, if the IT staff hasn’t done much to secure things inside the gates, the hackers get the run of the place.
Stopping phishing is definitely a difficult problem, but it’s difficult to see how that’s one that’s solved by giving the NSA more of our data. Of course, none of this should be new or surprising if you spend any time at all in online security realms. “Social engineering” has always been the most effective way to get into systems. But hyping up the fact that people are gullible and can be tricked into giving up their passwords isn’t very sexy and doesn’t get big companies and governments to shovel hundreds of millions of dollars at solutions. Freaking people out about sophisticated technology (that isn’t nearly as effective) being used to launch hack attacks seems much sexier (and profitable).
Filed Under: cyberattacks, information sharing, phishing, studies, technical attacks
Comments on “Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks”
The biggest threat to IT Security is not the hacker getting thru the firewall/IDS/etc directly. It’s the user with admin rights on the receiving end of an email.
Re: Re:
“It’s the user with admin rights on the receiving end of an email.”
You mean it’s members of the IT department itself?
Re: Re: Re:
Not even my IT dept does everybody have admin rights. Only where needed and they are trained on IT Sec.
Also, putting the blame on people instead of technology is not going to get you many sympathy [i.e. political] points.
Re: Re:
The truth seldom does, though.
Wetware is usually the weaker link . . .
Social engineering (i.e. phishing) has always been the most reliable way for serious intrusion artists to enter systems without authorization.
Heck, they even made three movies involving an Ocean about it with that Clooney guy involved. (Or was it 4?)
Why hack serious encryption when you can get it more easily by socially engineering the intrusion?
Because..
Honesty is the USG’s policy? Who I would like to point out are the only ones pulling off tech based attacks.. Simply because they’ve physically hijacked the lines that carry the data.
The NSA/FBI will continue to use FUD tactics and deception to gain more powers because it’s effective. Most politicians think technology is mystical voodoo arts and the general public doesn’t really care how this stuff works so long as they can social their media.
Today seems appropriate to apply the following quote:
“Fuck it, fight it, it’s all the same.” – Bradley
Re: Because..
bread and circuses to distract the masses
And the three “cybersecurity” bills in Congress prove it -_-
Ease of Phishing
The underlying problem with phishing attacks is that many legitimate emails will arrive with attachments in one’s corporate email over the course of a week. Some may be from people who are outside the company.
While my position is one were almost all my company email is internal and the few outsiders are well, many sales and technical support people deal with outsiders mostly. Many of these outsiders may legitimately need to send an attachment.
Re: Ease of Phishing
I’d disagree. The underlying problem is your average computer user is an ignorant sluggard (and I mean that in the nicest way 🙂 who only barely knows how to use the tools they’re given. There are technical people who use a spreadsheet program (ie. Excel) to create what is little more than a list of items, when simple text in an editor would do. I’ve watched accountants transcribe numbers from a spreadsheet program into desktop calculators to sum a column. There’s Sun Certified “engineers” who can’t list the contents of a directory.
I know, people just want to get stuff done. They don’t want to learn how computers work. They just want to use them. Well, think of all those carpenters out there building houses. How far can they get without knowing how to use a hammer, or what materials to use in any given situation.
For all those mere users out there, I’m sorry we haven’t yet invented the DWIM (Do What I Mean) key. Please bear with us.
Or, maybe don’t use computer operating systems and software which were implemented so stupidly that things like this become a problem.
Re: Re: Ease of Phishing
I know a musician that worked with Excel so much in his day job that he once decided to make a flyer for his band using Excel.
Re: Ease of Phishing
I put the blame squarely on IT for phishing emails that make it in.
Looking at spam stuck in the list is boring, and no admin wants that kind of grunt work.
The reality is that having human eyes at that level to spot those emails before they make it to the end user is a very good line of defense against phishing. We are the ones that understand the impact if that email makes it to an end user that clicks that link because they haven’t had their coffee, or if they are mad because their wife didn’t blow them last night, so they are gonna click it to make someone else have a rotten day, or if the person just truly thinks it’s a legit link/attachment.
We have the ability, knowledge, and expertise to stop those, and we choose not to because we justify it being a task that is beneath us.
I agree things should be as automated as possible, however, there are certain places that it just makes more sense to take 15 min out of the day to protect what could potentially be millions of dollars in loses to the company.
Re: Re: Ease of Phishing
The problem there is scale. The processing has to be automated because there is no other way to deal with the vast quantities of mail involved.
Re: Re: Re: Ease of Phishing
I’m just going to agree to disagree with you on this.
Yes, you can automate, however, you can’t just blindly automate spam filtering without having decent, human eyes at the right spots…no matter what the volume.
I come across at least 5-8 zero day exploit emails a day (that we properly forward to several security vendors). I can’t count the number of times that I will read about 2 days later some huge company got hammered for millions of dollars in damages because that same thing I visually spotted made it past all the “automated” filtering.
If you can get your automated systems to filter out even down to a few thousand that someone had to eyeball, it is more than worth the time spent.
It’s just ‘too boring’ and ‘completely beneath’ the sysadmins to do…when in reality just a few minutes of time to just make damn sure everything making it to the end user is legit.
I mean, even rich people have more than just a security camera to protect their home (heck even some have body guards). Why would you do anything less for email (esp since the risk for getting attacked by a rabid fan is way less for most of us than a sales associate getting a phishing email).
The government see’s itself as infallible to the point they harass and jail anyone that exposes them being fallible
Irony
Government officials spreading FUD about hacking to get the public to give the government access to their private information is in and of itself a massive attempt at socially engineering their way in.