I was fortunate enough to attend DefCon this year. For those not familiar, it’s the yearly gathering of hackers from across the world to discuss the numerous threats that we face in cyberspace and how much we suck at cyber security. There was one recurrent theme present throughout the talks:
We are so screwed.
Now let me caveat that — we are so screwed IF we continue doing what we’re doing. When I started down my path in the information security field almost a decade ago, I envisioned a career of holding the blockade against the enemy while being well-funded and provided the tools necessary to always be one step ahead of the enemy.
In reality, cyber security is an exercise in risk management with the goal of being a less attractive target than the next guy. Why? Because there are so many damn vulnerabilities and so few resources to fix them. Outdated hardware, outdated operating systems, applications, databases, and anything else you can think of are a major part of the problem, but so is general awareness of cyber security. The continued “biggest problem” lies with the users. In general, the bad guys tricking users into bypassing security controls is still the biggest problem in the field.
For the sake of this article, we won’t consider large-scale breaches like Equifax, Target, Home Depot, etc., but the root of many of the other apparent lapses in security today is a term that most people should be familiar with: phishing. Phishing is the art of fraudulently communicating with privileged users in order to obtain personal or confidential information, usually performed via email. I’m talking about those emails purporting to be from your IT department that usually go along the lines of:
This is totally your company’s IT department. For some reason, we need you to click this link to login with your company credentials and verify something. It’s legit, I promise.
Now, you wouldn’t fall for that.. would you? Well, Verizon’s 2018 DBIR (Data Breach Investigations Report) indicates that 4% of people will click on any given phishing campaign. Seems low, but if the bad guys only needs one legitimate login credential to do bad things, that means that (on average) they only need to send a phishing email to 25 people to get a hit. Pretty good marketing, right?
So back to the moral of the story: user education. You don’t have to be a cyber ninja to better protect yourself or your company from the bad guys out there, you just need to be more careful. Verify emails are from who they say they are, contact your IT department (or your more IT-inclined friend) if something looks suspicious, and stop clicking all of the things.
Images courtesy of Pixabay.