Some things never change
“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”
— Kevin Mitnick
The quote above, by a famous hacker, has withstood the test of time. Years ago, I attended a security conference where Kevin Mitnick was the keynote speaker. After his presentation, he held a Q&A session in which he was asked where he gained his programming skills and what specific technology he used to attack his victims.
His answer was very simplistic, “I call people on the phone, gain their trust and then ask very simple questions like what is your username and password.” That doesn’t sound very technical but, unfortunately, it worked most of the time.
Fortunately, for me, one of the companies he hacked was the company I would end up working for and, as a direct result of his attack, I got into the security field.
Since this is nothing new, you may ask why I’m writing yet another article on this subject. It’s because these types of attacks continue to be successful. The phone call has mostly been replaced with the targeted email since that is how we mainly communicate, but I’ve certainly seen an uptick in the SMS/text messaging attacks.
Not to be all gloom and doom, but due to the advancement in technology and security solutions, we are getting much better at not only detecting but blocking most forms of phishing attacks that ask our users to click on the link or open the attachment with malicious malware/ransomware. Many organizations are either in the process of or have already begun using multifactor authentication, which many in my field consider the number one technology we can use to thwart the vast majority of these attacks.
This statement may contradict somewhat with what you’ve read in the news or security blogs. Yes, the number of attacks has dramatically risen over the past years, but we’re able to block more of these types of attacks with the latest technology, and our users are getting better at identifying potential issues. You’ve probably heard this statement before, however: The hackers only need to get it right once; we need to get it right every time.
The hackers will change their methods. Primarily, these attacks happen when users are fooled by a phishing attempt. In fact, 95% of all security breaches are caused by human error. The fake emails, made to look like they are coming from legitimate sources, will prompt users to enter their usernames and passwords. Once the hacker has this information, they can wreak havoc on a network, locking down files and folders, accessing online accounts or accessing bank accounts.
Another thing all organizations can do is to implement frequent security training and awareness. Simply keeping cybersecurity at the forefront of your users’ minds is enough to stop a majority of cyber threats. Users are far more likely to be critical of a suspicious email if they’ve just received training that teaches them what to watch out for.
The bottom line is: Schedule frequent security awareness training and implement multifactor authentication where available.