Connect an IoT device like a security camera to the Internet, and someone will start attacking it within seconds. It’s a terrifying prospect, yet law enforcement officials are much more concerned about your trusty old inbox when it comes to security.
Speaking at the Financial Crimes and Cybersecurity Symposium in New York recently, Secretary of Homeland Security Jeh Johnson revealed that the threat his department fears above all others is the seemingly humble phishing email. “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing,” Johnson said during his speech.
Cybercriminals have been sending phishing emails for nearly 30 years, and there’s no sign of them stopping any time soon. There’s a good reason for that: people keep falling for phishing scams and many of the biggest hacks you’ve read about had their roots in a phishing email. Clinton campaign chair John Podesta. Colin Powell. The massive hack of Sony Picture’s network in 2014. JP Morgan. eBay. Target. The OPM hack that netted attackers private information on 21 million employees and contractors. Hundreds of banks around the globe.
The list of victims goes on, and it’s getting longer all the time. In the past, hackers have sought credentials. Now, however, they’re increasingly turning to phishing campaigns as a way to distribute ransomware. Aaron Higbee, CTO of the security firm PhishMe, told me in an email exchange that “more than 97 percent of phishing emails analyzed now contain ransomware.”
Why the dramatic shift? There are many reasons, but the biggest motivator is likely the allure of a massive payday that requires very little effort. A single email sent to a single user with the right access to a company’s servers could lead to terabytes of encrypted data being and held for ransom. Faced with downtime and the potential loss of critical business information, many choose the path of least resistance and pay up.
For the tide to turn, Higbee says that companies need to re-examine where they’re focusing their security efforts. “Relying on next-generation technologies to fix phishing has been an abysmal disaster and failed strategy for over 10 years,” Higbee said. The solution, he and his colleagues at PhishMe believe, is training staff to “accurately identify and report suspicious email.”
Humans can still be fooled, of course, but the right training can go a long way toward protecting a company’s systems. That’s why Homeland Security regularly sends out phishing emails to its own employees. Those who “bite” are directed a quick online refresher so they don’t fall for the real thing. Secretary Johnson would rather be talking about the threat of phishing rather than briefing the press on a successful attack that led to a massive system breach.
Source: SANS ISC SecNewsFeed @ November 29, 2016 at 06:57AM