If you want the quickest take on this year’s 78-page Verizon Data Breach Investigations Report, skip the executive summary and go straight to page 53.
In a discussion on email compromise attacks targeting executive staff, the report authors muse in their typical irreverent style: “You have to hand it to the attackers. At some point one must have thought ‘why don’t we skip all the hard hacking and just, you know, ask for the money?'”
That general idea — of hackers taking the easiest possible road for the maximum financial gain — is really the idea that permeates the rest of the report’s detailed accounting of the trends in enterprise information security and data breaches during the past year, according to Gabe Bassett, a senior information security data specialist with Verizon and contributing author to the DBIR.
“The attacks are just looking for, what’s the easy way to make this attack work,” he said. “They want the least expensive attack, one where you build it once and use it against everyone.”
The report also makes clear that IT departments had better be on top of known network vulnerabilities — because the attackers certainly are.
From Michael Ambrosio, deputy assistant director for the U.S. Secret Service, one of the report’s appendices dives into lessons learned from Secret Service debriefs of arrested transnational hackers: insights from the minds of hackers themselves. Ambrosio writes that “cybercriminals do their research. Almost always during these interviews, the hackers refer to gathering valuable intelligence from the same cybersecurity blogs, online IT security publications and vulnerability reports that network administrators should be monitoring. They know that once a vulnerability is revealed, they have a limited amount of time to try to exploit that vulnerability at a potential victim organization. Every time a vulnerability is disclosed or a system update or patch is released, a hacker sees an opportunity. They research the disclosure or update notes to learn if they can exploit the vulnerability and where, searching for their best opportunity to monetize the vulnerability.”
Mobile devices play a role in email phishing success
Although mobile as an attack vector continues to be negligible, this year’s DBIR does include some information from an internet researcher with data showing that the use of mobile devices to read email contributes to successful phishing attacks.
Bassett said that for an organization seeking to improve its security, one thing to look at is whether they are successfully blocking suspicious emails targeted at mobile devices.
“Those moments when the user’s thoughts are adrift provide an excellent opportunity for criminals to phish via SMS or emails to mobile devices,” the DBIR report concluded. The data from Arun Vishwanath, chief technologist at Avant Research Group, concludes that “mobile devices have relatively limited screen sizes that restrict what can be accessed and viewed clearly. Most smartphones also limit the ability to view multiple pages side-by-side, and naviÂgating pages and apps necessitates toggling between them—all of which make it tedious for users to check the veracity of emails and requests while on mobile.” Mobile operating systems and apps often also restrict the availability of information for verifying whether an email or webpage is legitimate, such as the email header information, while making response elements of the user interface (accept, reply, send, etc.) more prominent, making it easier for targeted users to respond to a request.
This, plus the fact that “users often interact with their mobile devices while walking, talking, driving, and doing all manner of other activities that interfere with their ability to pay careful attention to incoming information” means that “the confluence of design and how users interact with mobile devices make it easier for users to make snap, often uninformed decisions—which significantly increases their susceptibility to social attacks on mobile devices,” according to Vishwanath’s research.