Proofpoint: Human Behaviors Prove a Cybercrime Draw
The movie Hackers offered a look at what was called “social engineering” at the time. One of the characters called a television studio and, posing as an employee, convinced a night watchman to read off a set of numbers on a modem, giving the character—a hacker—access to the station's systems. This concept has carried on to this day, as detailed by a recent report from Proofpoint (News - Alert) that shows human behavior can often be the weakest link in a security chain.
The Proofpoint Human Factor 2016 report shows how, in 2015, attackers put more emphasis on making humans unwitting accomplices in thefts of information and money. Proofpoint vice president of threat operations, Kevin Epstein, pointed out how attackers moved from exploits involving technology to those involving humans instead in much of 2015. Epstein noted that “simple, high-volume campaigns” that preyed on the gullible ended up with users infecting themselves with malware, handing out credentials to those who shouldn't have them, and even sending money outright to fraudsters.
Ransomware was one of the biggest such issues; 99 percent of all documents involved in malicious email required a human to access said email. Banking trojans were a huge issue, with malicious macros routinely a part of the problem. Early mornings were the biggest time for phishing emails—Tuesday mornings proved the best target for some reason—and the afternoons belonged to social media spam.
Social media phishing was actually used 10 times more often than malware attempts, and enterprises were frequently attacked by mobile apps from “rogue marketplaces.” Though this requires the bypass of multiple security warnings, the end result is still a threat, as these apps steal information of all sorts.
We've seen the threat posed by inside operators, and we've seen work to counter it, but we also have to remember that not every inside threat is a conscious threat. Some inside threats are people like that night watchman from Hackers, convinced that Mr. Eddie Vedder from accounting really is having some trouble with his BLT drive and needs a little help. We don't want to discourage people helping each other in the office for the sake of better security, but we want to protect our systems. This is where the issue of data encryption comes in. Instead of just focusing on perimeter defense, on keeping out everyone who should be kept out, let's focus on making that data worthless to anyone who takes it. Without the right decryption key, the data could be taken by anyone, but it would be impossible to access, and running brute force attacks on encrypted data could take years.
In the end, the basic principles about clicking links from unfamiliar users still apply, but for those people who are just trying to help, let's not blame them for our security problems. Let's instead make our security tight on all sides, not just the outside in, but also the inside out.
Edited by Stefania Viscusi