As high-grade security evolves to combat increasingly complex threats, why are basic attacks still enormously successful?
Low-tech attacks, such as phishing, have long been a mainstay of the cybersecurity world to the point that they barely raise an eyebrow. However, recent weeks have seen a spate of attacks that have made headlines and shone a spotlight on the perennial phishing pest.
The BBC recently reported a data breach that saw a number of fraudulent emails sent to parents of fee-paying schools "offering discounts", after the schools' databases had been breached.
Hot on its heels came news that some enterprising hackers had attempted a spot of phishing in the channel.
Distributor Target Components received multiple scam emails purporting to be from a well-known distributor and reseller, both of which are Target customers. MD Paul Cubbage warned partners not to fall for the bait and to be wary of such deceptive messages.
Have companies oversubscribed to the bells and whistles espoused by the cybersecurity industry, but become complacent when it comes to the most basic of attacks?
The world and its granny knows now not to fall for the charms of the Nigerian prince and the promise of his golden horde, so how are these types of low-tech attacks still managing to successfully breach high-grade security?
Targeting the industry that makes its money out of stopping such threats might seem foolhardy, but vulnerabilities exist in even the most security-conscious organisation, and are usually human-shaped, according to a number of cybersecurity specialists.
It is not that organisations or employees are complacent in their approach to phishing emails, rather that the scam messages are so well put together that they look like legitimate correspondence from a trusted source in the company.
"The weakest link in any security is the person in front of the keyboard," explained Stephen Love, chief security consultant at Computacenter to CRN.
"If you can reach that person and gain their credentials and then use that to launch your attack, that is a hell of a lot more effective than trying to breach a vulnerability on an external device."
Jason Holloway, Bridgeway's Managing Director, says advanced threat protection - which tries to detects scam emails before they hit an employee's inbox - is one of the biggest growth areas in email security.
"Most of these technologies are successful to a degree, but they can never be 100 per cent," he warns.
"As we get better at detecting and hiding the more obvious ones, users also become desensitised to expecting these fraudulent emails to come through, so when they do - and are properly crafted - they can trick people into unwittingly clicking on links and opening paths."
Jason adds that end-user cyber awareness and training is still in its infancy and so an organisation's employees might not be receiving the right level of education and support to make judgement calls when it comes to suspicious emails.
Something smells phishy
As security evolves, so too do the myriad ways in which a hacker can infiltrate an organisation's systems. The manner in which phishing emails are put together has evolved and perpetrators are highly strategic in who they are targeted at.
Humans are the weakest element in the organisation, and educating end-users to be alert to nefarious attacks is a big challenge for a lot of companies.
Bridgeway's Jason says that there is a "convergence" of technology and training that is focused on addressing the risk profile of each individual.
"If you provide training to the user base, but one individual still makes risky decisions, then perhaps the filtering provided to their email stream can be increased to make sure that they don't create problems for themselves or their organisation," he explains.
This aligns with the trend seen in the last 12 months of cybersecurity vendors snapping up awareness and training companies for sizeable sums. Proofpoint swallowed up Wombat Security Technologies for $225m, and Cofense (then PhishMe) was nabbed for $400m by private equity firms Blackstone and Pamplona.
These training programmes often employ ethical hackers to breach the company's security, in order to showcase where the weaknesses are and to indicate what departments and individuals are most susceptible to low-grade cyberattacks.
Cyber security awareness training is now on the rise because companies have spent millions of pounds trying to implement technical solutions but forget to look at the end-user, who is your last line of defence. It's a mix of time, effort and education and more organisations need to take heed.
This is an excerpt from CRN's recent article