Post by Deleted on Apr 23, 2015 9:42:42 GMT -5
Phishing Campaigns
Still one of the most powerful and simple ways to start even the most sophisticated attacks, phishing remains a hacker's best friend because it works. According to the Verizon Data Breach Investigation Report, 23% of phishing recipients open malicious messages and 11% open attachments. It takes just 82 seconds (1 minute and 22 seconds) from when a phishing campaign is launched to when people start biting on the phony lures.
Phony Phone Calls
Sometimes the easiest way for attackers to start gaining access to users' systems and accounts is to just ask for it. The age-old method of social engineering is an old stand-by. Many times all it takes is a call to the victim posing as IT and a request for the user's login and password. Or they could pretend to be an internal employee or business partner and ask the employee to open a specific document that is actually something like a remote access Trojan.
Unpatched Systems
Approximately 97% of exploits involved in breaches investigated by Verizon used 10 common and already well-known vulnerabilities; some were found to be many years old. Users are often hacked because their systems are not up-to-date and patched for these common attack vectors.
Weak Passwords
The recent breach at Sony aired out some password dirty laundry as hackers released the firm's secrets online. One cache of documents released were passwords used by employees and IT staff. Many of these passwords were embarrassingly weak, including the perennial favorite, "password," which is right up there with 12345 as a user favorite. As the folks at OWASP put it in their document recommending testing for weak passwords, "The password represents the keys to the kingdom, but is often subverted by users in the name of usability."
Unprotected WiFi
Last month the researchers with Cylance offered good evidence as to why users really need to think about protecting themselves with VPN when utilizing public WiFi connections. They found that 277 hotels, convention centers and data centers across 29 countries were affected by a known vulnerability in a router commonly used by property managers to offer WiFi to guests. And that is just one of the dangers of public and free hotspots, which offer hackers a rich hunting ground for starting man-in-the-middle attacks and other means of establishing footholds in unsuspecting users' machines.
TMI on Social Engineering Websites
Social media is another favorite happy hacker hunting ground, for a number of reasons. One of the big ones is for research. The type of information people share on social sites is also the kind that may make it easier for an attacker to guess passwords or password reset challenge question answers. It could also provide enough information about the target in order to craft an extremely effective spear-phishing message to them. Social sites and plug-ins or graphics made to emulate popular social site branding are also a great means for malware distribution. For example, attackers today trick users into clicking fake 'like' buttons on sites that actually lead to malware installation. This so-called life-jacking is just one example of many ways for hackers to skin the social cat.
BYOD
The BYOD (Bring Your Own Device) phenomenon has trained users to treat self-service, self-directed IT as the norm. The more freedom users have to install what they want, when they want on their business systems and move data to non-sanctioned cloud resources, the more risk they incur for the organization. IT must be able to find a way to allow users the freedom to get their jobs done while still imposing data governance and audit controls over the processes.
Still one of the most powerful and simple ways to start even the most sophisticated attacks, phishing remains a hacker's best friend because it works. According to the Verizon Data Breach Investigation Report, 23% of phishing recipients open malicious messages and 11% open attachments. It takes just 82 seconds (1 minute and 22 seconds) from when a phishing campaign is launched to when people start biting on the phony lures.
Phony Phone Calls
Sometimes the easiest way for attackers to start gaining access to users' systems and accounts is to just ask for it. The age-old method of social engineering is an old stand-by. Many times all it takes is a call to the victim posing as IT and a request for the user's login and password. Or they could pretend to be an internal employee or business partner and ask the employee to open a specific document that is actually something like a remote access Trojan.
Unpatched Systems
Approximately 97% of exploits involved in breaches investigated by Verizon used 10 common and already well-known vulnerabilities; some were found to be many years old. Users are often hacked because their systems are not up-to-date and patched for these common attack vectors.
Weak Passwords
The recent breach at Sony aired out some password dirty laundry as hackers released the firm's secrets online. One cache of documents released were passwords used by employees and IT staff. Many of these passwords were embarrassingly weak, including the perennial favorite, "password," which is right up there with 12345 as a user favorite. As the folks at OWASP put it in their document recommending testing for weak passwords, "The password represents the keys to the kingdom, but is often subverted by users in the name of usability."
Unprotected WiFi
Last month the researchers with Cylance offered good evidence as to why users really need to think about protecting themselves with VPN when utilizing public WiFi connections. They found that 277 hotels, convention centers and data centers across 29 countries were affected by a known vulnerability in a router commonly used by property managers to offer WiFi to guests. And that is just one of the dangers of public and free hotspots, which offer hackers a rich hunting ground for starting man-in-the-middle attacks and other means of establishing footholds in unsuspecting users' machines.
TMI on Social Engineering Websites
Social media is another favorite happy hacker hunting ground, for a number of reasons. One of the big ones is for research. The type of information people share on social sites is also the kind that may make it easier for an attacker to guess passwords or password reset challenge question answers. It could also provide enough information about the target in order to craft an extremely effective spear-phishing message to them. Social sites and plug-ins or graphics made to emulate popular social site branding are also a great means for malware distribution. For example, attackers today trick users into clicking fake 'like' buttons on sites that actually lead to malware installation. This so-called life-jacking is just one example of many ways for hackers to skin the social cat.
BYOD
The BYOD (Bring Your Own Device) phenomenon has trained users to treat self-service, self-directed IT as the norm. The more freedom users have to install what they want, when they want on their business systems and move data to non-sanctioned cloud resources, the more risk they incur for the organization. IT must be able to find a way to allow users the freedom to get their jobs done while still imposing data governance and audit controls over the processes.