Surely everyone changed their LinkedIn credentials in 2012, when the LinkedIn hack was made public right?
Furthermore, most users would have doubled down on their credential security - changing their passwords to something complex and perhaps using a secure service like LastPass to manage those credentials securely, right?
LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online.
So when LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online, the natural question is 'why bother'?
As I pointed out to CNET this week, it's no longer the credentials themselves which have value (although there might be a few laggards who still haven't changed their passwords). It's the fact that cybercriminals now hone in on a target by building very accurate pictures of companies and employees ripe for targeting. Also, as I discussed with Computing in March, LinkedIn is now the principle super market for enterprise hacking intelligence - a front door for hackers.
Once the overall picture of an organization is complete, the email account of the target be it personal or professional becomes the Holy Grail for the attackers. Suddenly the penny drops…Peace, who according to a story from Vice's Motherboard is trying to sell the credentials for about $2,200 in bitcoin is actually selling the email addresses.
And I'm sure he or she will sell the information in no time at all - because who thought it was important to change their password and email address in 2012? Not many.
Aside from the immediate damage of social engineering-based attacks, the damage will really be felt by organizations who've been hacked over the last few years and are high-value targets in general. What this action has done is highlight the long-tail value of hacking - inspiring cybercriminals to re-harvest old hack data and inspire more audacious attacks in future as the financial incentive has been boosted further still.
You think you’re prepared to deal with cybersecurity threats. But, what if your organization became the target of a whaling attack, spear-phishing or weaponized attachment? These are just a few methods hackers and cybercriminals use to steal confidential data, employee information and even cash. Are you confident that your corporate email can protect your organization from these insidious attacks?
To ensure you really are confident to cope with email-based attacks, you need to get in touch with your true IT security self. This can help you find out how much of an impact past experience with email attacks has on future preparedness, and whether or not your organization is dedicating enough of your IT budget to cybersecurity.
Don’t worry: we can help. Mimecast recently surveyed hundreds of IT security pros across the globe to get to the bottom of how they felt about email security preparedness. Those responses identified the gaps between how prepared they think their companies are against email threats, and how prepared they actually are. Based on this insight, we spotted five security “personas” of IT security pros, or ways of helping you self-identify with a group that shares your values:
- The Vigilant: This is less than one-fifth of IT security professionals. They demonstrate a high confidence in their ability to handle or defend against cyber threats, despite no experience with email hacks or data breaches.
- The Equipped Veterans: Approximately one-fifth of IT security professionals – they are confident in their cybersecurity and have dealt with attacks in the past.
- The Apprehensive: About one-third of IT security professionals – they have no experience with data breaches or hacks and do not feel confident in their level of preparedness.
- The Nervous: Less than one-tenth of IT security professionals – they feel completely ill-equipped to cope with the cyber threat.
- The Battle-Scarred: Just over one-quarter of IT security professionals – these have experienced a history of data breaches or email hacks, but still feel unprepared to defend themselves against attacks in the future.
Ready to find out your true IT security persona? Take our IT Security Persona Test now. Learn about your distinct personality type and tips to boost your confidence.
We should welcome the move by Obama’s administration to go after more funding – defending the nation from the growing threat of cyberattacks has to be a priority for any world government.
The focus on more money for improving private, public and international collaboration is particularly important. The threat we face, after all, is universal and international, like the Internet itself: a threat on private companies is a threat on the economy, an attack on the public sector will impact the private. We should all hope his call is heard and acted on by Congress, too – cybersecurity of national infrastructure, and the public and private sector, is too important to be a victim of partisan politics.
The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
2016 is an election year, so the danger is that Obama’s successor is likely to want to just build a bigger wall around whatever needs protecting, and while that might be reassuring for voters, it’s a representation of how we’ve classically thought about the security of our assets. But, it’s 2016 and the wall, perimeter, LAN and the defences we used to rely on are all DOA today. The breaches we see every day show they are clearly not protecting us well enough. We need to see a strategy rethink. Many organizations are not updating their spending patterns for cybersecurity to fit with the modern threats they face – that can be very damaging.
If you needed a letter from the President to get budget prioritized for cybersecurity projects, chances are, you’re way behind the security curve and are likely going to be spending on remediation rather than protection.
Cybersecurity has become the issue of 2015 and 2016; there’s enough evidence out there that the government, large corporations and consumers have been dramatically hurt by hacks and cybercrime. The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
If you’re only now waking up to the issues of cybercrime, cyber warfare and hacking because of Obama’s political promises, then it’s likely you’re already being badly burned both organizationally and personally. Even if you don’t know it yet.
The enormity of the threat should not be new to us, should it? We’re several decades on from the invention of the first technologies that gave us viruses, Trojans and polymorphic files. We’re coming up to the fifth anniversary of the ground-zero hack for enterprises through email – the RSA Security hack of 2011 – yet we’re still seeing our corporate and personal lives affected by cyber-nefariousness.
I’m constantly hearing from CISOs and IT Managers: “We’ve just updated our security ‘a couple of years ago’ so we’re doing just fine.” This is their defence for not changing strategy, asking their executives for additional budget or modernizing a security solution. And, this worries me – here’s why: First, because anything that ends in “doing just fine” usually means you’re not fine, or you’re about to find out the hard way. And, second, when you look at how advanced the cyber-threat landscape has become (and how quickly it moves), over the last two years, anything you added to your security stack a few months ago could already be out of date.
So, if it was a letter from the President you needed to motivate you to deliver up-to-date protection for your network, now you have one. There should be no more excuses. Get it done. It’s your civic and corporate duty. Modernizing your cybersecurity protections, updating your processes and educating your people is a necessity you cannot delay any longer. Unless, of course, you fancy being the next organization in the headlines or explaining a breach to your bosses.
Protecting yourself from cyber-attack used to be about technology. But I have heard it repeated time and time again this week at the industry’s annual go-to security event, RSA Conference in San Francisco, that this is not enough.
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend.
Sure, you need the right technology, but attacks can’t be completely repelled with technology alone. You need to turn your employees into a new line of defense – something we have often called your Human Firewall.
Why? Well, today it makes much more ‘economic’ sense if you are an attacker to go after people.
For years now, most organizations have invested heavily on perimeter defenses, and as time passes, the historic security loopholes or open doors in the products we rely on have been closed and the defenses toughened – making it a harder job for attackers to go after your network. Not impossible, but harder. Requiring more skill, effort, resources and persistence.
Meanwhile, at the same time, we have put more and more technology into the hands of our employees and connected them to the outside world in multiple ways: email, social media, cloud services, mobile. We actively encourage our people to connect with customers, colleagues, contacts and prospects. It’s a part of being a modern organization.
So, an attacker has a choice to make about what strategy to apply, and they are going to look for the path of least resistance – the ‘return on investment’ business case for attacks on people are just too compelling. Because people are, after all, “only human.” For all our great qualities, from a security perspective, we are fallible. Prone to being tricked, scammed or bamboozled. As Admiral Rogers of the NSA said this week at RSA about employees and their role in cyber security: “… every individual we have given access to a keyboard is a potential opportunity or a threat.”
And, right at the center of all this sits email. Behind every email address is a person. Guaranteed. Sending an email cost next to nothing. Sending thousands of emails cost next to nothing. And if you invest a little time in social engineering to improve the targeting of your attack, just a few minutes on LinkedIn should do it, research suggests you are almost guaranteed to get a hit.
So, if you are an attacker what do you do? Buy hacking toolkits, invest in people resources, get heavy duty computing power, persistently attack a target over days, weeks or even months or find the CFO or CEO’s assistant’s name, fake an email address to look like their boss and then start an email dialogue?
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend. And, defense requires new technology, employee security training and culture change.
That’s why our Targeted Threat Protection service combines comprehensive technology protection with user awareness capabilities. You need to do both to effectively protect against attacks using malicious URLs, weaponized attachments and now non-malware emails used for whaling. With Mimecast, when you click on a malicious link we don’t just scan it, we tell you what we are doing so the employee sees the risk they are potentially putting the organization under and learns for next time. Receive an email that looks like it comes from the CEO, but in fact is from a spoofed domain name (even if it looks like your own) - we make that clear to the employee with an alert. And, receive an attachment – we convert it to a safe format before delivering it to you so any potential malicious payload is disabled and we explain why.