October is Cyber Security Awareness Month. Today I’d like to highlight PHISHING! The ubiquitous cyber attack category that has been around since the dawn of the Internet & Networked Technology.
500 Hours FREE AOL Discs?
PHISHING and the various techniques employed to successfully execute a PHISH (like much of the Cyber Security Landscape) have evolved a great deal. Global interconnectivity has transformed our world and tech has grown exponentially.
At the bottom of this article is an InfoGraphic. It is simple resource that is accessible for ANYONE to use and understand.
Protect yourself. Protect your Privacy.
Protect your Personally Identifiable Information (PII)
As a career Cyber Security Expert or Professional Hacker (White Hat, of course!) I am often asked over-generalized questions about InfoSec. I typically feel compelled to first refer to Occam’s Razor (keep reading) before indulging in a detailed answer. I don’t refer to this principle of science to sound smart by simply citing something I love. I don’t mention it to test the person’s savvy or tech acumen either… I refer to Occam’s Razor to educate the individual and illustrate a crucial point not realized at all among technology laymen (in my experience) and even most ‘Power Users’ like my friends, romantic companion and probably most of my readership at IsraTechnologies. While you are all aware of the increasing ‘Cyber Warfare’ and Information Risks inherent the more Technology is used whether it be Hacktivism, Corporate Espionage, Script Kiddies, Revenge Porn, Piracy or maybe you are just a private citizen somewhere on Planet Earth with understandably increasing Privacy concerns…. Regardless, the following concept(s) is mostly unknown to the public or forgotten at best.
For example a user (or random person) asks me, ‘so being an expert in Cyber Security, you can like, read my emails or get into my phone right? Well I oughta be careful around YOU!’
My response, ‘Sort of. If I had even one single black hat hacking desire, and I haven’t had such a desire in nearly 20 years (See above: Prodigy, CompuServe & AOL), then I’d STILL lack the time. Therefore even if I had some misplaced motivation and the moral defect to engage in entertaining said desire(s) …. it still would not nearly be worth even 1% of the time much less the effort required…..’ Typically my answer is just that, ‘sort of.’
Yet, every Cyber Security Conference I go to, every research paper I read and every expert I speak with – there seems to be a pervasive, constant and recurring theme:
The Majority of Successful Hacks ARE LOW-TECH
To actually find a new (0-day) exploit among thousands if not millions of lines of computer code…. Up late, in the dark, attempting to visualize infinite attack vectors or scenarios/possibilities within the pages upon pages of programming language one immerses him or herself in… Add the Hacker then writing the programming language code to exploit some vulnerability found in the aforementioned dark perpetually 3AM-like dungeon AKA a dorm room or some apartment in Slovenia… this is largely the stuff of sensationalized entertainment/media or in the real-world could be some state-funded Government-to-Government or other form of larger Cyber Espionage. Perhaps like (in my opinion) The Greatest Hack of All Time … StuxNet (deserves a nice up-to-date exposè on this blog, no?) which was really the world’s first fully-weaponized Digital Weapon; The so-called StuxNet ‘Worm’ was able to penetrate a building & it’s systems (Centrifuges) as secure as an Iranian Nuclear Facility that employed ‘Air Gap’ Security; Meaning there is an air gap and NO CONNECTION to the outside world at all, like an Internet line of any type or any Telecommunication lines etc. An isolated Air Gapped Building is nearly impossible to penetrate for a Hacker; yet this Iranian Facility was completely 0wn3d. Read here for more. There are many other larger more high-tech hacks we encounter everyday when we put our cyber sails up and venture out to peruse the World Wide Web. Another category of common high-tech attacks are known as Advanced Persistent Threats. One of the more common and most recent being Ransomware and the like. But I digress from the point; that most breaches or successful hacks are Low-Tech…
Enter Occam’s Razor. A Principle that states “Entities should not be multiplied unnecessarily” … The most useful statement of the principle for [computer] scientists is “when you have two competing theories that make exactly the same predictions, the simpler one is better”
The simpler, easier & more elegant of 2 possible solutions (low-tech or high-tech are two solutions with the same end result … a successful hack). Therefore if myself or any other Pro for that matter [White or Black Hat] is planning how to hack a business, a person’s identity/PII or unauthorized access to the Data and/or denial of the Service being offered by any Target System(s) said person or business entity uses…. Guess what? The low-tech plan-of-attHack is where we almost always begin!
We ask some simple ‘low-tech’ questions first. Who (is the Target)? What are the Systems used by the Target? (attack vectors are chosen) And what are the weakest endpoints on any number of public/private networks the Target uses?
According to Gartner 99 percent of vulnerabilities exploited are ones that professionals have known about for a year, but have lacked the solutions to address. Put into [business] context, that is absolutely terrifying. So, if myself and Cyber Security Experts around the world are in agreement that most successful ‘hacks’ are low-tech … And Gartner, a highly respected worldwide leader in Information Technology Research and Advisory has recently reported that 99% of successful hacks are exploiting a vulnerability the business’ itself (the IT owner or stakeholder) is already aware of (said vulnerability) but has NO SOLUTION FOR…. 99% of successful attacks are Vulnerabilities that the system creator/administrator was aware of and had no subsequent recourse or solution for that security hole. Wow! So in terms of Privacy & Information Security are we as individuals and businesses all simply doomed? What is the most common, widely exploited and therefore overall the biggest attack category? Given the statistics, this category must be among the so-called ‘Low-Tech’ Hacks?
A Vulnerability there’s No Solution for? Their own employees & users!
The Vulnerability is, YOU!
It’s difficult to adequatly train employee’s much less every Facebook user – Every LinkedIn user – every GMail or @yahoo.com user and so on….. Train the whole world in Cyber Security basics? Social Engineering 101? Unfortunately it appears that in this current landscape: Most of us will have to learn the hard way.
Cyber security training is often difficult and broad, at best. I plan to do another Social Engineering blog soon breaking down many of the common and lesser-known techniques found in the wild and I’ll offer my personal experience in employing said techniques, how effective each is, target/mark profile types and how the simplest tech-layman can defend against the savviest of Black Hat Social Engineering Experts!
I’ll also offer plenty of resources for White Hat’s that want to simply learn (that’s what Black & White love and share … the desire to understand & truly learn). Then maybe YOU can get in the fight and help the rest of the civilized world protect themselves, the organizations they work for and each other from malicious increasingly effective attacks outside your door (or router) right now! Or are they already inside and you don’t know? I’ll be sharing simple ground breaking tools to detect intrusions.
For now, in light of Cyber Security Awareness Month – please enjoy an excellent InfoGraphic created by data loss prevention company Digital Guardian. This image was released to help users recognize and AVOID Phishing Attacks!
Print it, post it in your home & office. Share this article. Save and share this image.