When a cyber security breach hits what is the news, those most closely involved often have incentive to experiment with the sophistication from the attack.
If hackers are portrayed as well-funded geniuses, victims look less vulnerable, security firms can flog a few and services, and government officials can push for tougher regulation or seek more money for cyber defenses.
But two deeply researched reports developing now underscore the less-heralded truth: most hacking attacks are successful because employees click on links in tainted emails, companies don’t apply available patches to known software flaws, or technicians will not configure systems properly.
These conclusions come in the minds of executives attending our planet’s largest technology security conference next week in S . fransisco, a conference named after lead sponsor RSA, the security division of EMC Corp.
From the best-known annual study of information breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds with the 290 electronic espionage cases it learned all about in 2014 involved phishing, the security industry’s term for trick emails.
Because so many people simply click tainted links or attachments, sending phishing emails to only 10 employees will get hackers inside corporate gates 90% almost daily, Verizon found.
“There’s an overarching pattern,” said Verizon scientist Bob Rudis. Attackers use phishing to setup malware and steal credentials from employees, chances are they use those credentials to roam through networks and access programs and files, he said.
Verizon’s report includes its business investigations and data from 70 other contributors, including law enforcement. It found that while major new vulnerabilities such as Heartbleed are now being used by hackers within hours of their announcement, more attacks this past year exploited patchable vulnerabilities dating from 2007, 2010, 2011, 2012 and 2013.
Another annual cyber report, to be released on Tuesday by Symantec Corp, found that state-sponsored spies also used phishing techniques because they work and because the less-sophisticated approach drew less scrutiny from defenders.
Once inside of a system, however, the spies turned fancy, writing customized software to evade detection by whatever security programs the objective has installed, Symantec said.
“Once I’m in, I can do a few things i should,” said Robert Shaker, an incident response manager at Symantec. The report drew on data from 57 million sensors in 157 countries and territories.
Another troubling trend Symantec found necessitates the utilization of “ransomware,” during which hackers encrypt a computer’s files and promise release a them only if anyone pays a ransom. (Some 80% almost daily, they can’t decrypt the files even then.)
The modern twist emanates from hackers who encrypt files, including those inside critical infrastructure facilities, but don’t invite anything. The mystery is why: Shaker said it isn’t clear whether or not the attackers are securing the info for resale to spies or potential saboteurs, or whether anticipate making their very own demands sometime soon.
RSA Conference
At next week’s RSA Conference, protecting critical infrastructure systems under increasing attack has to be major theme. Another theme may be the desire for more sharing of “intelligence” about emerging threats – between the public and private sectors, in the security industry, and within certain industries.
Although many of the most popular breaches of history two years involved retailers, the healthcare industry has figured heavily recently. Former FBI futurist Marc Goodman said that both spies and arranged criminals are usually at your workplace, the previous seeking leverage to make use of in recruiting informants and the latter seeking to cash in on medical and insurance fraud.
Verizon’s researchers declared being more effective, information-sharing would need to be essentially instantly, from machine to machine, and cross multiple sectors, a daunting proposition.
Another section of the Verizon report may help security executives increase the risk for case for bigger budgets. They produced the 1st analysis of the actual costs of breaches created from insurance claims, rather than survey data.
Verizon said the most beneficial indicator in the tariff of an incident will be the number of records compromised, and this the cost rises logarithmically, flattening as the size of the breach rises.
Using the new Verizon model, the loss of 100,000 records should cost roughly $475,000 normally, while 100 million lost records should cost about $8.85 million.
Although the harder data will be this is number-crunchers, spending a higher price cannot guarantee complete protection against attacks.
The RSA Conference floor will feature vendors touting next-generation security products and anomaly-spotting big-data analytics. But few would actually promise that they stop someone from exploring a tainted email and letting a hacker in.