Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.
According to a 2019 study, 74 percent of respondents whose organisations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks?
The National Cyber Security Centre (NCSC) defines phishing as “when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website. Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email. Phishing emails can reach millions of users directly, and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money."
Also see: Is 2 Factor Authentication Enough?
According to the Comtact UK, in 2019 nearly one third of all breaches in the past year involved phishing. Phishing attacks last year affected 76% of UK businesses, and phishing attempts are up by a whopping 65%. Phishing attacks can be categorised into the following four types:
• Deceptive Phishing - The most common type of phishing attacks, whereby threat actors impersonate a legitimate company to steal users’ personal data and access credentials.
• Spear Phishing - These types of attacks are more sophisticated, whereby the threat actor customises the attack email with the target’s name, job title, company, and other personal information to make the recipient believe they have a connection to the sender.
• CEO Fraud - This type of attack targets executives to steal their access credentials, often to commit financial fraud by subsequently tricking employees to authorise fraudulent wire transfers or gain access to W-2 information.
• Smishing - Phishing attacks are not just limited to email, since threat actors are now also sending malicious text messages to users’ phones.
Steps to Protect Against Phishing
Users should apply common sense in all their communications and keep the following precautions in mind:
• Don't post personal data that can be used for social engineering, like birthdays, travel plans, or personal contact information, publicly on social media.
• Check the sender’s email address by hovering over the ‘from’ address.
• Don’t automatically trust links, but rather go to the sender’s website and validate the authenticity of the page indicated in the email.
• When an email from a known source seems suspicious, contact that source with a new email, rather than just hitting reply.
• Read the email and check for spelling and grammatical mistakes, as well as strange phrases. Legitimate companies know how to spell.
• Take your time. Urgency, which forces users not to think, is the fuel attackers rely on. Take a breather and revisit the steps above before taking any action.
Also see: The Cyber Security Fight Won't Stop
For businesses, IT security professionals can implement the following proactive measures to protect their organisation:
• Educate users about the risk of phishing and the characteristics of these attacks.
• Implement email protection software to "sandbox" inbound emails and validate, as well as sanitise links users might click on.
• Be wary when deploying third-party Web tools. Investigate their security protocols to determine if they’re comprehensive enough to minimise malware injections. Obviously, restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.
• Implement multi-factor authentication (MFA), which requires multiple methods for identification (something you know, something you have, and something you are), and therefore is one of the best ways to prevent unauthorised users from accessing sensitive data and moving laterally within the network.
• Apply risk-based access controls to define and enforce access policies based on user behaviour. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access controls are often used in combination with MFA.
Ultimately, stealing valid credentials via phishing attacks and using them to access a network is easier, less risky, and ultimately more efficient than exploiting existing vulnerabilities, even a zero-day. Cyber security defences need to adapt to this reality. User education and strengthening an organisation’s authentication systems are two vital steps that can minimise the risks associated with phishing and subsequent cyber-attacks aimed at data theft.