Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks

from the so-why-do-we-need-information-sharing? dept

To hear politicians and the media talk about things, "cybersecurity" threats are some sort of existential threat that can only be stopped by giving the government more information and more control over our data. There is, of course, little to actually support that notion. And, two new studies show that (as has been the case for decades), the real threats are not because of super sophisticated technology and tools for hacking, but rather because end users are fallible and IT folks don't do a very good job locking doors (hat tip: WarOnPrivacy):
But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.
In fact, the real problem tends to be that people are still easily fooled by phishing emails:
In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry's term for trick emails.

Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.
And, then, of course, if the IT staff hasn't done much to secure things inside the gates, the hackers get the run of the place.

Stopping phishing is definitely a difficult problem, but it's difficult to see how that's one that's solved by giving the NSA more of our data. Of course, none of this should be new or surprising if you spend any time at all in online security realms. "Social engineering" has always been the most effective way to get into systems. But hyping up the fact that people are gullible and can be tricked into giving up their passwords isn't very sexy and doesn't get big companies and governments to shovel hundreds of millions of dollars at solutions. Freaking people out about sophisticated technology (that isn't nearly as effective) being used to launch hack attacks seems much sexier (and profitable).
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cyberattacks, information sharing, phishing, studies, technical attacks


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Baron von Robber, 20 Apr 2015 @ 2:37pm

    The biggest threat to IT Security is not the hacker getting thru the firewall/IDS/etc directly. It's the user with admin rights on the receiving end of an email.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Apr 2015 @ 5:49pm

      Re:

      "It's the user with admin rights on the receiving end of an email."

      You mean it's members of the IT department itself?

      link to this | view in chronology ]

      • identicon
        Baron von Robber, 21 Apr 2015 @ 9:10am

        Re: Re:

        Not even my IT dept does everybody have admin rights. Only where needed and they are trained on IT Sec.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Apr 2015 @ 2:48pm

    Also, putting the blame on people instead of technology is not going to get you many sympathy [i.e. political] points.

    link to this | view in chronology ]

  • icon
    John William Nelson (profile), 20 Apr 2015 @ 3:28pm

    Wetware is usually the weaker link . . .

    Social engineering (i.e. phishing) has always been the most reliable way for serious intrusion artists to enter systems without authorization.

    Heck, they even made three movies involving an Ocean about it with that Clooney guy involved. (Or was it 4?)

    Why hack serious encryption when you can get it more easily by socially engineering the intrusion?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Apr 2015 @ 4:00pm

    Because..

    Honesty is the USG's policy? Who I would like to point out are the only ones pulling off tech based attacks.. Simply because they've physically hijacked the lines that carry the data.

    The NSA/FBI will continue to use FUD tactics and deception to gain more powers because it's effective. Most politicians think technology is mystical voodoo arts and the general public doesn't really care how this stuff works so long as they can social their media.

    Today seems appropriate to apply the following quote:

    "Fuck it, fight it, it's all the same." - Bradley

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Apr 2015 @ 5:49pm

    And the three "cybersecurity" bills in Congress prove it -_-

    link to this | view in chronology ]

  • icon
    madasahatter (profile), 20 Apr 2015 @ 6:25pm

    Ease of Phishing

    The underlying problem with phishing attacks is that many legitimate emails will arrive with attachments in one's corporate email over the course of a week. Some may be from people who are outside the company.

    While my position is one were almost all my company email is internal and the few outsiders are well, many sales and technical support people deal with outsiders mostly. Many of these outsiders may legitimately need to send an attachment.

    link to this | view in chronology ]

    • icon
      tqk (profile), 21 Apr 2015 @ 8:24am

      Re: Ease of Phishing

      I'd disagree. The underlying problem is your average computer user is an ignorant sluggard (and I mean that in the nicest way :-) who only barely knows how to use the tools they're given. There are technical people who use a spreadsheet program (ie. Excel) to create what is little more than a list of items, when simple text in an editor would do. I've watched accountants transcribe numbers from a spreadsheet program into desktop calculators to sum a column. There's Sun Certified "engineers" who can't list the contents of a directory.

      I know, people just want to get stuff done. They don't want to learn how computers work. They just want to use them. Well, think of all those carpenters out there building houses. How far can they get without knowing how to use a hammer, or what materials to use in any given situation.

      For all those mere users out there, I'm sorry we haven't yet invented the DWIM (Do What I Mean) key. Please bear with us.

      Or, maybe don't use computer operating systems and software which were implemented so stupidly that things like this become a problem.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Apr 2015 @ 8:38am

        Re: Re: Ease of Phishing

        I know a musician that worked with Excel so much in his day job that he once decided to make a flyer for his band using Excel.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Apr 2015 @ 8:26am

      Re: Ease of Phishing

      I put the blame squarely on IT for phishing emails that make it in.

      Looking at spam stuck in the list is boring, and no admin wants that kind of grunt work.

      The reality is that having human eyes at that level to spot those emails before they make it to the end user is a very good line of defense against phishing. We are the ones that understand the impact if that email makes it to an end user that clicks that link because they haven't had their coffee, or if they are mad because their wife didn't blow them last night, so they are gonna click it to make someone else have a rotten day, or if the person just truly thinks it's a legit link/attachment.

      We have the ability, knowledge, and expertise to stop those, and we choose not to because we justify it being a task that is beneath us.

      I agree things should be as automated as possible, however, there are certain places that it just makes more sense to take 15 min out of the day to protect what could potentially be millions of dollars in loses to the company.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Apr 2015 @ 8:43am

        Re: Re: Ease of Phishing

        The problem there is scale. The processing has to be automated because there is no other way to deal with the vast quantities of mail involved.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 21 Apr 2015 @ 2:38pm

          Re: Re: Re: Ease of Phishing

          I'm just going to agree to disagree with you on this.

          Yes, you can automate, however, you can't just blindly automate spam filtering without having decent, human eyes at the right spots...no matter what the volume.

          I come across at least 5-8 zero day exploit emails a day (that we properly forward to several security vendors). I can't count the number of times that I will read about 2 days later some huge company got hammered for millions of dollars in damages because that same thing I visually spotted made it past all the "automated" filtering.

          If you can get your automated systems to filter out even down to a few thousand that someone had to eyeball, it is more than worth the time spent.

          It's just 'too boring' and 'completely beneath' the sysadmins to do...when in reality just a few minutes of time to just make damn sure everything making it to the end user is legit.

          I mean, even rich people have more than just a security camera to protect their home (heck even some have body guards). Why would you do anything less for email (esp since the risk for getting attacked by a rabid fan is way less for most of us than a sales associate getting a phishing email).

          link to this | view in chronology ]

  • icon
    Padpaw (profile), 20 Apr 2015 @ 6:45pm

    The government see's itself as infallible to the point they harass and jail anyone that exposes them being fallible

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Apr 2015 @ 8:00am

    Irony

    Government officials spreading FUD about hacking to get the public to give the government access to their private information is in and of itself a massive attempt at socially engineering their way in.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.