Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How I Would Hack Your Network (If I Woke Up Evil)
Threaded  |  Newest First  |  Oldest First
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/27/2017 | 9:31:53 AM
Faster and easier
I find that tossing a few carefully crafted USB sticks into the executive parking lot is easier, cheaper and more effective.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2017 | 10:58:46 AM
Re: Faster and easier
@nosmo: Well, sure, that's phishing too -- just a more "physical" type of phishing, compared to email phishing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:45:09 PM
Re: Faster and easier
"Well, sure, that's phishing too ..."

True, just tricking users to do something that they are not normally do. Clever.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:43:53 PM
Re: Faster and easier
Not only executive but for everyine, we will all wonder what we have in a lost and found flash drive.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2017 | 11:02:25 AM
%
The 20-30% figure isn't surprising.  At an MIT event I went to not too long ago, one presenter talked about an email sent organization-wide that said something to the effect of: "This is a phishing email.  It is fake.  Do not click on this link" -- and found that 10% of the recipients STILL clicked the link.

One C-suite executive who clicked on the link's response when asked why he clicked it: "I wanted to see what would happen."
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:47:05 PM
Re: %
"Do not click on this link" -- and found that 10% of the recipients STILL clicked the link. "

I wonder, the reason they would click because of the question in their mind: "why would I get a link not to click?"
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/31/2017 | 1:00:42 PM
Re: %
@Dr.T: Perhaps the thinking was "Well, the link says not to click, but it's clearly from my own organization, so it can't be *truly* bad."

The better way to do this is to send fake phishing emails (without letting the users know what they are), and then those who click are brought to a page where they are alerted that they fell for a phishing scam -- and their computer is locked up until they complete a 5-minute InfoSec training so they don't fall for it again.  This technique has been shown to reduce successful email phishing attacks by up to 75%.
Kumzy
50%
50%
Kumzy,
User Rank: Apprentice
2/19/2017 | 8:04:34 AM
Re: %
That is a very great idea. My organization did the same thing about last week IT security sent out an e-mail that webcams had been installed in tbe breakroom refrigerators to forestal people stealing other peoples lunches a link was then provided to view the cam when you click on this link it takes you to a log in page which asks for your log in credentials, needless to say rumor started going round among staff about the webcams and people were curious about the issue so some clicked on the link and supplied their credentials and a message popped up that they have just willingly given up their credentials for a phising attack.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
2/28/2017 | 2:00:30 PM
Re: Phishing emails (responding to Joe's comment)
Re: sending fake phishing emails to train: Exactly right. It's effective when done on an ongoing basis (at least once a month.) I have seen the susceptibility rate fall to below 1% and stay there, which I consider phenomenal - until I forgot to do it one month. Then next month, it went up to 16%.

As Jefferson said, the Price of Freedom is Eternal Vigilance.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/16/2017 | 11:25:40 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Does the 16% refer to overall phishing susceptibility, or susceptibility to the fake phishing email itself?

How much of this do you think is potentially attributed to people "learning" what's a "fake" phishing email?

For instance, I wonder to what extent people are thinking, "Oh, that's that wily IT department again.  I don't want to have to do another 5-minute training" (or whatever), vs. "Oh, I shouldn't click on that because it might be bad"?

It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
3/16/2017 | 12:29:55 PM
Re: Phishing emails (responding to Joe's comment)
The service we use allows for a number of templates, sender domains, subjects, etc. Given the wide variety of testing, I would lean towards the 16% being an accurate measure of susceptibility within the company as of that point in time. Note: I am seeing actual phishing emails being submitted for analysis using our phish tool on a daily basis, along with the usual spam and unwanted email, so at least some people are in fact paying attention.

"It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead." This is a very good point. The number did go up when I missed a month of testing, so people apparently let down their guard. Seems to me that is just part of human nature for some people - they won't discipline themselves unless someone else is watching them. That being said, it's still way better than the initial baseline test.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/17/2017 | 11:53:36 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Fascinating.  I wonder what would happen if you upped the frequency (say, once a week) for a month or so, and then dropped back down to "normal" levels.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
7/14/2017 | 5:30:27 PM
Re: Phishing emails (responding to Joe's comment)
I did exactly one a week for May, then did only one for June.

Result: Frequency seems to have little to no effect. Content has a big effect.

Examples: testing "Outlook password change required" and "Mint Financial Access" got few or no clicks.

But I got over two dozen clicks on "HR Notification re:Vacation policy change".

"Mint" was the one sent a month after the weekly tests were done.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/18/2017 | 1:33:31 PM
Re: Phishing emails (responding to Joe's comment)
@Peter: Wow. Awesome insights. Thanks for trying this and sharing!

I guess you'd really need an A/B grouping while testing frequency. Group A gets subject line A, Group B gets subject line B. Then that would give you a better idea on if it was more the frequency or the subject line.

But this is cool info to go on. I think people are on to the "pretending to be your bank" scam...but the HR stuff has been pretty hot among scammers lately because it's new (and, also, I suspect, because it's about something interesting enough to be worth an email open but not so jarringly enticing that it's automatically suspicious). 
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 2:28:06 PM
Re: %
I love that idea, Joe, of forcing completion of a 5-minute InfoSec training :-)  I've worked at orgs before where you essentially worked within a locked down piece of software with no access to anything else, but freeing up the desktop with the illusion of freedom presents lots of "teachable moment" opportunities for getting training compliance up-to-snuff quickly!
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:48:24 PM
Re: %
"I wanted to see what would happen."

I see their reasoning. There should be second level protection. I should be able to click the link and still be protected.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:42:46 PM
Nature of attacks
The nature of attacks are two folds in my view. One you trick the user so you can get a privilege access to the system and another one you know a back door that most others do not. Government sponsored ones are more likely they have a back door to the systems. System vulnerabilities are not the main paths for the attacks.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:47:23 PM
Source of attacks
Now that security attacks created a new industry I suspect that lots of security firms are behind of lots of those attacks to sell their products. I do not have a proof for it, it is just my guess. 
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/31/2017 | 11:24:00 AM
Re: Source of attacks
In the case of the DNC attack the evidence is very clear that the work was done by Russian speaking agents using Russian systems for C&C. This is not in dispute dispite what the author implies.

 

The theory that AV companies write all the best viruses is as old as AV software and has been demonstrated false any time it has been investigated.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:48:51 PM
AV vs. DDOD or social engineering
Agree with the article, AV is an outdated strategy, nobody spends time to write a virus, there is more exciting ways of doing impact such as DDOD and social engineering.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/2/2017 | 4:07:24 AM
Re: AV vs. DDOD or social engineering
I wouldn't go so far as to say that antivirus = outdated -- at least as a sole lines of defense.

Maintaining up-to-date antivirus is like locking your door.  Sure, there are more exciting and terrible things that can happen to bypass antivirus, but if you're not even doing that, then that's pretty lax.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:51:58 PM
passwords
"I will password-spray your Web interfaces,"

I see the points in the article, however I think making password compels is not a solution, they are not really cracking the passwords, that is too much unnecessary work, they are getting it from the users.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:54:28 PM
security fundamentals
" old security fundamentals aren't effective"

This is a good point, industry has change, there is no more firewall to sell because everybody has it, they needs to sell something new.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:56:34 PM
UBA
"user behavioral analytics (UBA)"

I agree, this may be a good starting point, at the end of the day everything starts with the user behavior.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/30/2017 | 3:06:55 PM
Reconnaissance, infiltration, exploitation, exfiltration: the 4 phases of a data breach
While the reconnaissance phase can take months even years, the exfiltration will take days.  So i agree strongly UBA is critical to flag anything abnormal.  Identity governance is another critical tool to mitigate data breach, especially from insiders , of whom government agencies have seen their share.
kasstri
50%
50%
kasstri,
User Rank: Strategist
3/1/2017 | 6:52:04 AM
keyboard
Sure, there are more exciting and terrible things that can happen to bypass antivirus, but if you're not even doing that, then that's pretty lax.


Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9308
PUBLISHED: 2020-02-20
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVE-2019-20479
PUBLISHED: 2020-02-20
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
CVE-2011-2498
PUBLISHED: 2020-02-20
The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVE-2012-2629
PUBLISHED: 2020-02-20
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) c...
CVE-2014-3484
PUBLISHED: 2020-02-20
Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid ...