It’s no surprise that we humans are our own worst enemy when it comes to security. We tend to be lazy, complacent, and far too confident in our defenses. We don’t keep our software patched, our curiosity causes us to open dangerous attachments or click on dangerous links, we use poor passwords and we’re often too eager to be helpful to the social engineer on the other end of the phone. Here is the link to a great write up on how human nature helps the cyber criminal. One of the important takeaways from the story is that the vast majority of exploits target security holes in software that have been round for months or years. According to the article, “the top 10 known vulnerabilities accounted for 85 percent of successful exploits.” The vulnerabilities are well known yet nothing has been done to patch them for whatever reason. 63% of data breaches involve weak or stolen passwords. Phishing attacks are also on the rise and are succeeding because of the things people do – like click on attachments or links in suspicious emails. Many of these phishing emails are well crafted and thought out. They can convince employees that a manager within their organization is requesting data when it is really a spoofed email from an attacker outside the organization. In one case a community college employee was tricked into emailing sensitive employee data to a criminal. The data was gone as soon as the email was sent. When these attacks are successful the compromise happens quickly (93% within minutes of the breach). However, detection is much slower – 83% of breaches weren’t discovered for weeks or months afterward. In cases where network penetration occurs the data is gone within minutes in 28% of the cases. There are often three prongs to the modern attack:
1. Send phishing email with malware or link to malicious website
2. Install malware on target computer
3. Elevate privileges and access more data or use the site as a jumping off point for attacks on yet more sites.
The defenses are basically the same as they have always been – train your employees not to do dumb things (good luck with that), use two factor authentication, keep your software patched and up to date, back up your data, monitor your network and look for users who don’t belong or exceed their authorized access levels, and encrypt your important data. Whether at work or at home be vigilant. Good security practices pay for themselves.