We’ve written before about how “For Data Security, Employees Are the Weakest Link.”
A new report on “The Human Factor” from Proofpoint provides some interesting insights into the extent of the “problem with people” when it comes to data security.
There are a couple of different ways for hackers to get into your data. They can use automated approaches, such as a “brute force attack,” trying thousands and thousands of possible password or PIN combinations until they find the one that works.
Or they can trick people into either infecting themselves with malware or into unwittingly giving away the keys to the store.
An overwhelming majority of attacks rely on users to infect themselves. 997 out of 1000 documents used in “attachment based” campaigns use macros and/or social engineering. Users have to click on the document to infect themselves.
Additionally, 98% of the URLs in malicious messages link to malware – click the link, follow the instructions, and infect yourself.
Hackers are getting increasingly clever and sophisticated in finding ways to get naïve users to do their work for them. Here’s a sample of some of the ways they work:
- Impersonating real people and documents:
- They are getting good at creating document attachments such as invoices or statements that look like the real deal, but contain dangerous malware.
- They use social media (such as LinkedIn) to figure out who works with whom, so they can make a malicious email look like it comes from a colleague.
- Some scams involve impersonating a company’s CEO to get an employee with bank transfer authority to transfer funds to the hacker.
- 74% of URLs in email-based attacks link to phishing sites as opposed to hosted malware. Phishing 10x more common in social media threats
- Being savvy on normal behavior and social media:
- They know to optimize delivery times to match when people are answering emails, typically start of the business day.
- Many malicious URLS shared via social media.
- Leveraging people’s love of “free”
- Many people want access to paid apps, but don’t want to pay the price. Rogue app stores, where you can get pirate copies of paid apps, are very popular with those who aren’t concerned with honoring intellectual property. These rogue app stores are VERY dangerous; many of the apps you can download from them are infected with malware.
- Infecting via popular sites:
- An analysis of the Android app store found 12,000 potentially malicious apps (capable of stealing information) that were downloaded 2 billion times.
- Popular file sharing services, such as Google Drive and Dropbox, have also proven to be very effective ways to lure people into giving up credentials.
A few of these scams – such as the “impersonate the CEO” scam – require robust business practices, such as requiring a second authorization, even on requests from the CEO. All of the others, however, could be defeated with PACid’s Bolt-on Strong Security (BoSS).
We believe the best way to prevent employees from giving away the keys to the store is to not give them the keys in the first place. With BoSS users are protected from themselves. They can’t enter a credential into a phishing site that’s a copy of a legitimate site because they don’t have access to the login credentials. All credentials are stored in a secure location, not directly accessible to users, and are only valid temporarily. Users can’t login to a sensitive site by clicking on a link – they have to access the site through BoSS, which relies on IP addresses not domain names to access the sites.
One of the most important features of the BoSS approach is that we don’t try to change people’s behavior, such as requiring them to frequently change long and complex passwords. Instead we use technology to implement the best security practices on their behalf, behind the scenes.