Recently, Verizon released its 2016 Data Breach Report, which has served to assist the security community in managing risk and avoiding security incidents since 2008. In the report, one can find data on almost all aspects of the current cyber security risk landscape. With that being said, I was most intrigued by the findings related to phishing attacks, a form of social engineering that seeks to exploit an organization’s greatest risk – humans.
The motivation behind phishing attacks is no different than any other information security incident. Generally, attackers will be looking to trick the target user into divulging credentials on a pharming website. These sites look and feel like they are genuine websites for banks, enterprise applications, etc. Another common tactic in phishing attacks is having the targeted user click an attached file containing some sort of malware, thus granting the attacker access to the machine and by association, whatever network it connects to. These attacks are troubling because they allow an attacker to simply avoid many of the technical controls an organization may have in place.
The Data Breach Report has included metrics on phishing cases for years, this year the report stated that 30% of users open phishing emails. While this may not be harmful in itself, 13% of users will go on to click on the malicious attachment or navigate to the phony website where credentials are collected. These numbers are somewhat higher than last year, which reported a 23% open rate and a 11% click-through on the attachments. Another important thing to note is how quickly this all happens, the report states that it often takes less than five minutes to see a targeted user click on the attachment or link.
Social Engineering attacks, phishing specifically, are on the rise because the attacks are much easier to execute than technical attacks targeting an organization’s vulnerable assets. It enables an attacker to compromise a network with much less effort than would normally be required, and often times in much less time.
The good news is that phishing attacks can be defeated in multiple ways. First, two-factor authentication would nearly eliminate all the risk associated with the credential stealing activities. Even if an attacker did acquire the main credentials for an employee, they would still lack the secondary credentials that are required. Second, and probably the most direct way to decrease human risk, is through a mature security awareness program. While awareness and training programs have been given more attention as of late, several organizations still do not take them seriously. Without training your employees on simple, human targeted attacks like phishing, they cannot be expected to protect your critical assets and data when they become the targets.
Curious how your organization stacks up? CyberSheath can help. Click below to download our data sheet on information security assessments to learn how you can improve your security posture.