According to a recent report by PhishMe, 91% of cyber attacks begin with a phishing email. The attack method remains one of the most successful available to hackers as it exploits the inherent weakness of individual users. Since the advent of networked computers, human error has almost always been at the heart of failings in cyber security, and despite increasing attempts to improve user awareness and security training, individuals continue to fall foul. With the average security breach still taking close to 150 days to detect, businesses can no longer afford to leave their security in the hands of an outdated cyber security trust model which means all cyber defences are moot if a phishing email is clicked. If approaches to cybersecurity don’t change soon, phishing season will be never ending.
What is phishing?
Ever more convincing imitations of websites such as LinkedIn, eBay, PayPal and Google, and increasingly sophisticated emails have fooled users into allowing hackers past cyber defences. One recent attack mimicked a Gmail login page to near perfection. PayPal users were also targeted with a highly convincing email notifying them of a problem with their account.
It’s incredibly effective. According to Verizon, 30% of phishing emails are opened. With reasons cited including fear, curiosity and a sense of urgency – all playing on basic human emotions.
The method is also surprisingly simple: once an employee is duped into clicking on a link in an email that looks like a legitimate offer from a business he or she frequents, the user’s device either becomes infected with malware or the user is prompted to enter their access credentials.
Once in possession of log-in credentials for the enterprise system, the attacker masquerades as the user and enters the interior network and systems and the breach begins.
Users will fail
Organisations may spend time training staff to spot suspicious emails, but it is almost impossible to guarantee they won’t click on a phishing link. Indeed, phishing attacks are on the rise – according to SC Magazine, there was a 250% surge in phishing attacks in Q1 of 2016. The only way to combat phishing, therefore, is to make the assumption that users will keep acting as they do, and click the link. As such, businesses must be ready.
There is no other choice but to embrace the notion that any user might already be compromised. In fact, a ‘trusted’ user accessing your systems right now may be an attacker that has entered your network as a result of a phishing attempt. This is the motivation to adopt the Zero Trust security model. Old security models assume your LAN or internal networks are ‘trusted’ because they are protected by a firewalled perimeter.
However, Zero Trust does away with the notion of implicit trust. Instead, it is assumed that any user or device on the network could be compromised. Given that, how do you protect your valuable digital assets? Deploying Zero Trust means recognising that traditional perimeter and infrastructure-based security cannot stop an attacker in the guise of a trusted user.
So how can a business go about implementing Zero Trust? A key tool in the Zero Trust arsenal is enforcing role-based access control across all users. This limits an attacker’s ability to move laterally through the enterprise systems once they have gained access via a compromised user. Another technique is to deploy end-to-end encryption of data communications flows, even on internal networks and in environments that traditionally would be considered to be trusted.
It is inevitable that hackers will continue to uncover new attack vectors, develop increasingly more sophisticated breach methods and work their way into networks. It is also a certainty that any security model which assumes network perimeters can be defended, will fail. Finally, given that users will continue to remain the weakest link in a business’ security model, it is only by changing the way that security architecture is viewed, that positive advances in cyber security will be achieved.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.