Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks
from the so-why-do-we-need-information-sharing? dept
To hear politicians and the media talk about things, "cybersecurity" threats are some sort of existential threat that can only be stopped by giving the government more information and more control over our data. There is, of course, little to actually support that notion. And, two new studies show that (as has been the case for decades), the real threats are not because of super sophisticated technology and tools for hacking, but rather because end users are fallible and IT folks don't do a very good job locking doors (hat tip: WarOnPrivacy):But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.In fact, the real problem tends to be that people are still easily fooled by phishing emails:
In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry's term for trick emails.And, then, of course, if the IT staff hasn't done much to secure things inside the gates, the hackers get the run of the place.
Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.
Stopping phishing is definitely a difficult problem, but it's difficult to see how that's one that's solved by giving the NSA more of our data. Of course, none of this should be new or surprising if you spend any time at all in online security realms. "Social engineering" has always been the most effective way to get into systems. But hyping up the fact that people are gullible and can be tricked into giving up their passwords isn't very sexy and doesn't get big companies and governments to shovel hundreds of millions of dollars at solutions. Freaking people out about sophisticated technology (that isn't nearly as effective) being used to launch hack attacks seems much sexier (and profitable).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cyberattacks, information sharing, phishing, studies, technical attacks
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Wetware is usually the weaker link . . .
Heck, they even made three movies involving an Ocean about it with that Clooney guy involved. (Or was it 4?)
Why hack serious encryption when you can get it more easily by socially engineering the intrusion?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Because..
The NSA/FBI will continue to use FUD tactics and deception to gain more powers because it's effective. Most politicians think technology is mystical voodoo arts and the general public doesn't really care how this stuff works so long as they can social their media.
Today seems appropriate to apply the following quote:
"Fuck it, fight it, it's all the same." - Bradley
[ link to this | view in thread ]
Re:
You mean it's members of the IT department itself?
[ link to this | view in thread ]
[ link to this | view in thread ]
Ease of Phishing
While my position is one were almost all my company email is internal and the few outsiders are well, many sales and technical support people deal with outsiders mostly. Many of these outsiders may legitimately need to send an attachment.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Because..
[ link to this | view in thread ]
Irony
[ link to this | view in thread ]
Re: Ease of Phishing
I know, people just want to get stuff done. They don't want to learn how computers work. They just want to use them. Well, think of all those carpenters out there building houses. How far can they get without knowing how to use a hammer, or what materials to use in any given situation.
For all those mere users out there, I'm sorry we haven't yet invented the DWIM (Do What I Mean) key. Please bear with us.
Or, maybe don't use computer operating systems and software which were implemented so stupidly that things like this become a problem.
[ link to this | view in thread ]
Re: Ease of Phishing
Looking at spam stuck in the list is boring, and no admin wants that kind of grunt work.
The reality is that having human eyes at that level to spot those emails before they make it to the end user is a very good line of defense against phishing. We are the ones that understand the impact if that email makes it to an end user that clicks that link because they haven't had their coffee, or if they are mad because their wife didn't blow them last night, so they are gonna click it to make someone else have a rotten day, or if the person just truly thinks it's a legit link/attachment.
We have the ability, knowledge, and expertise to stop those, and we choose not to because we justify it being a task that is beneath us.
I agree things should be as automated as possible, however, there are certain places that it just makes more sense to take 15 min out of the day to protect what could potentially be millions of dollars in loses to the company.
[ link to this | view in thread ]
Re: Re: Ease of Phishing
[ link to this | view in thread ]
Re: Re: Ease of Phishing
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Ease of Phishing
Yes, you can automate, however, you can't just blindly automate spam filtering without having decent, human eyes at the right spots...no matter what the volume.
I come across at least 5-8 zero day exploit emails a day (that we properly forward to several security vendors). I can't count the number of times that I will read about 2 days later some huge company got hammered for millions of dollars in damages because that same thing I visually spotted made it past all the "automated" filtering.
If you can get your automated systems to filter out even down to a few thousand that someone had to eyeball, it is more than worth the time spent.
It's just 'too boring' and 'completely beneath' the sysadmins to do...when in reality just a few minutes of time to just make damn sure everything making it to the end user is legit.
I mean, even rich people have more than just a security camera to protect their home (heck even some have body guards). Why would you do anything less for email (esp since the risk for getting attacked by a rabid fan is way less for most of us than a sales associate getting a phishing email).
[ link to this | view in thread ]