natali_mis - stock.adobe.com

Social engineering a factor in virtually all cyber attacks, report claims

Almost every single cyber attack will, at some stage, require a human to be tricked into doing something, according to research by Proofpoint

The exploitation of human failings to attack enterprises using so-called social engineering attacks through cloud applications, email or social media, is a factor in up to 99% of cyber attacks, according to Proofpoint’s latest annual Human factor report.

Based on 18 months of data analysis collated from across Proofpoint’s global customer base, the report set out to highlight how bad actors target people by getting them to enable a macro, open a file or follow a link, rather than attacking systems and infrastructure, as they attempt to gain access to enterprises and other organisations.

“Sending fraudulent emails, stealing credentials and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice-president of threat operations at Proofpoint.

“More than 99% of cyber attacks rely on human interaction to work – making individual users the last line of defence.

“Organisations need a holistic people-centric cyber security approach that includes effective security awareness training and layered defences that provide visibility into their most attacked users.”

Proofpoint highlighted the existence of what it terms “very attacked people”, or VAP, as the most often approached targets. These individuals tend to be located deep within a target organisation, to have access to either funds or sensitive data, and, crucially, to have identities that can be gleaned via corporate websites, social media, trade publications, or even Google searches.

Impostor email messages closely mimic standard business routines, following legitimate email traffic patterns, with downtime at the weekends and spikes on Mondays, except in the case of malware actors, which tend to be distributed more evenly over the first three days of the working week.

Click times also show significant regional differences, said Proofpoint, with victims in Asia-Pacific and North America far more likely to read and click early in the day, while attacks in the Middle East and Europe are more likely to succeed after lunch.

Read more about social engineering

The verticals most likely to be hit by such attacks were found to be education, finance, and advertising and marketing. As previously reported, Proofpoint noted that the education sector in particular seemed to attract the highest-severity attacks, and had the highest average number of VAPs.

Impostor attacks, meanwhile, were at their highest levels in the engineering, automotive and education industries, probably because of supply-chain complexities in engineering and automotive, and high-value VAPs and large student populations in education.

The report also found that given Microsoft’s dominance in software estates, nearly a quarter of phishing emails sent during 2018 targeted its products, with a notable shift towards its cloud services platforms in terms of effectiveness. Most lures were focused on credential theft to create feedback loops that pave the way for future attacks, lateral movement within the victims’ networks, or internal phishing.

Threat actors are also refining their tools and techniques, moving from one-to-one and one-to-many attacks to attacks using multiple – often more than five – identities against more than five individuals in their target organisations.

Read more on Hackers and cybercrime prevention

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Having worked at a University, I can tell you that there's more than just the data on students, faculty, and staff and more compliance issues than just FERPA .  Since universities are also responsible for administering scholarships and financial aid, the data stored there often includes the students parents and other family members including their tax returns, investments, etc.  Since the University is also responsible for managing student's immigration status, stored data includes things like student visa numbers, passport numbers, and other immigration data.  With the health centers on campus, there is HIPAA data.  We had some student managed hedge funds and other investment funds so there was SOX and GSLB to worry about.    The University, like most larger ones, had it's own police department with that set of security needs.  Since we were selling seats to our seminars and lectures on line and even some subscriptions to research publications, we also had PCI/DSS.  Now imagine trying to maintain this while maintaining open public (as in general public) access to WiFi for classes and events.  Challenging doesn't even begin to cover juggling the conflicting and competing requirements.  Since most are non-profit or not-for-profit, there's not much of a budget either so the solutions can sometimes be a bit wonky.  
Cancel
Interesting topic, human interaction will forever be the last touch to any means necessary. With the good or bad.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close