ETS - Erb's Technology Solutions, Connecting People with Technology

Cybersecurity’s Weakest Link: Humans

July 31, 2018

Cybersecurity’s Weakest Link: Humans

July 31, 2018

The most common threat to a company’s digital security is phishing. Three-quarters of organizations experienced phishing attacks in 2017.

What is a Phishing Attack?

A phishing attack shares it’s name (although not the spelling) with fishing for one simple reason: something attractive is dangled in front of someone in order to see if anyone will bite, yet the attractive object ends up not being what it seemed.

A phishing attack itself is a scam, typically perpetrated through a fraudulent email. The email promises a desirable service or product in exchange for some sort of action taken on the recipient’s part. This can vary from providing a banking account number, Social Security number or by simply clicking on a link embedded into the email message. These kinds of attacks were mde famous by individuals receiving messages stating a Nigerian prince wanted to bestow millions of dollars upon them, but to access the funds they needed a wire transfer and bank account number. Phishing scams have evolved greatly from the early days, yet the idea remains the same: to obtain confidential information or to gain access to a server’s internal network (Indiana University, 2017).

Attacking the Weakest Link

Outside of cyber criminals who focus on extensively protected network infrastructure simply to challenge their hacking skills, most focus on targeting the weakest link in cyber security. Punching holes through one defensive wall after another is time consuming and difficult, even for the most talented hackers. This is why the weakest link in a network’s security is targeted. An employee’s email address is relatively easy to obtain. Sometimes simply sc

rolling through a company website for contact information provides these details, while even the most basic network scans may give up everyone working within the company’s email addresses. Sending messages to an email account doesn’t take any special talent. In fact, it is possible to outsource the creation of

these messages or utilize a phishing attack kit, which makes it easy to produce near identical emails based on that of corporate documentation. All the cyber-criminal needs to do is ensure it makes it past the spam filter on the recipient’s email. Once past the spam filter, all that is required is for the employee to open the email and follow the embedded link. Upon clicking the embedded link, it may provide an open door for the scammer to access the network.

In 2017 Knowbe4 released its top 10 Global Phishing Email Subject Lines and results emphasized that human error continues to be an organization’s weakest link. Users most frequently click on business-related subject lines (“Security Alert” is the highest ranked at 21 per cent) but they continue to click with alarming frequency on subject lines not related to work topics and showing red flags. It appears that many users are suffering from “information overload” in email, making them less likely to scrutinize phishing emails as they should.

According to Osterman Research, email has been the number one network infection vector since 2014. The attackers see it as an effective method because it gives them more control than simply placing traps on the web in the hope that people might stumble across them. Attackers will instead craft and distribute enticing material using both random and targeted means. Using this approach gives the cybercriminals greater control in targeting potential victims, leveraging multiple psychological triggers and engaging in what amounts to a continuous maturity cycle.

The Top 10 Global Most-Clicked Global Phishing Email Subject Lines for Q2 2017 include:

  1. Security Alert – 21%
  2. Revised Vacation & Sick Time Policy – 14%
  3. UPS Label Delivery 1ZBE312TNY00015011 – 10%
  4. BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO – 10%
  5. A Delivery Attempt was made – 10%
  6. All Employees: Update your Healthcare Info – 9%
  7. Change of Password Required Immediately – 8%
  8. Password Check Required Immediately – 7%
  9. Unusual sign-in activity – 6%
  10. Urgent Action Required – 6%

Multi-layered defense

The subject lines in the top ten made their way through all the corporate filters and into the inbox of an employee, which points to an acute need for a multi-layered defense since each layer has different points of effectiveness and ineffectiveness. The reality is that if an email is written correctly it will sail through all  the defenses by finding the least effective point of each and playing into the human psyche of wanting to receive something you didn’t know about or needing to intervene before something is taken away. Quite simply, people are the last line of defense, so they are an essential element of organizational security and need to be trained as such.

Businesses also need to be savvy about the social media messages sent to their users as they are potential landmines to their corporate networks. In KnowBe4’s Top 10 Global Social Networking Subject Lines four of the top 10 spots (equal to 44 per cent) were related to LinkedIn messages, which users often have tied to their work email addresses.

How do phishing attacks occur?

An organization’s email addresses are usually easy for cyber-criminals to find and with these they can launch (spear-) phishing attacks on an organization which are very difficult to defend against unless users have undergone effective ‘security awareness’ training. Here is what usually happens – criminals sent phishing emails, an innocent employee clicks on an email and infects their PC with malware. The malware records the victim’s keystrokes, which allows the network to be hacked leading to breach credentials to highly sensitive information.

Spoofing

Phishing Spoof emails

Phishing Spoof emails

Spoofed emails can enter an organization disguised as coming from a company’s own domain. Spoofing is one of the most common security issues and is often set-up incorrectly allowing a cybercriminal to impersonate an employee, or key executive consequently allowing phishing attacks in and making them an easy target. A typical scenario is a spoofed email that appears to come from “IT” and requests an employee to update their email account credentials. The uneducated employee duly obliges thinking they are merely complying to a request. Little do they know of the disastrous consequences that might ensue including a ransomware attack where all computers on the company network are hijacked.

Instilling a security conscious culture

Ransomware is on the increase, just think of the hefty casualty list from the likes of Wannacry and Petya. It is slowly starting to dawn on IT Managers and executives that traditional, old school security techniques just won’t cut it with today’s sophisticated cybercriminal. Training employees to make better security decisions helps mitigate the risk of social engineering and should be part of the outer layer, along with all other corporate policies and procedures.

Key decision makers with organizations must be proactive in the following steps to be better prepared and deal more effectively with phishing and ransomware attacks including:

  1. Take time to better understand the risks you face
  2. Develop and implement adequate policies
  3. Ensure that systems are kept up-to-date
  4. Ensure there good and recent back-ups in place
  5. Deploy anti-phishing and anti-ransomware solutions
  6. Implement best practices for user behavior, including simulated phishing tests
  7. Use robust threat intelligence

There is no doubting the very real threat and the enormous damage potential that phishing and ransomware pose to an organization’s finances, data assets and reputation. From disruption to employees and the IT department to the ability to make a company run afoul of industry and governmental regulations resulting in lawsuits that, in extreme cases, could put an organization out of business, these attacks can cause considerable harm. There are steps that can be taken to address phishing and ransomware to reduce the chances of a breach and the consequences that arise from it and there is no better time to start than now.

ETS can help with all of this.  If you are curious about your security protection and simply would like an assessment of your environment or employee training just let us know.