Email Security

phishing attacks and vulnerability exploitations on the rise

Phishing Attacks, Vulnerability Exploitations on the Rise

By | business continuity, Cybersecurity, Email Security | One Comment

Recent figures indicate that there were over 50 significant data breaches in 2023 and there have already been nine major breaches reported in the first quarter of 2024.

According to the Verizon 2024 Data Breach Investigations Report:

  • 14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year’s report.
  • 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error; ransomware was a top threat across 92% of industries.
  • There was a 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach.

With such a significant increase in the exploitation of known vulnerabilities, proactive measures must be taken to prevent cyber incidents.

Yet the very agency responsible for keeping end users safer on the web, and who have helped promote the Cybersecurity Awareness Month campaigns each October, have fallen victim to a cyberattack. It was found that Ivanti vulnerabilities in the systems of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) left them susceptible to the attack.

Detecting Vulnerabilities Before Cybercriminals Do

A 180% increase in exploited vulnerabilities is alarming, and while there were major zero-day vulnerabilities that contributed to the dramatic rise, the fact remains that organizations must stay a step ahead. The best way to do that is to find the vulnerabilities in your system – unpatched software, weak passwords, known vulnerabilities – before cybercriminals do.

Blue Bastion, a division of Ideal Integrations, specializes in defensive and offensive cybersecurity operations. They employ a comprehensive managed detection and response service that includes vulnerability scanning and penetration testing. These and similar aggressive efforts help identify and remediate vulnerabilities quickly and effectively.

Phishing Attacks Are Becoming More Difficult to Identify

It is becoming increasingly difficult to distinguish legitimate emails from phishing emails, and generative AI will continue to make it even worse. For instance, investigators observed that a phishing campaign targeting the United States Postal Service (USPS) directed nearly as much traffic to spoofed websites as it did to the legitimate sites, through the use of phishing emails and text messages.

As cybercriminals begin to take advantage of AI, phishing attacks are becoming nearly impossible to detect, reveals Infosecurity Magazine. “AI detectors cannot tell whether a phishing email has been written by a chatbot or a human in three cases out of four.” Users of LastPass, a popular password manager, were targeted in early 2024 by attackers who launched an AI-driven phishing campaign that convincingly tricked users into divulging their master passwords.

Common Phishing Tactics

According to Phishing for Dummies®, Cisco Special Edition, the top five tactics business leaders need to watch for are:

  1. The use of AI to make phishing attacks more successful. AI helps cybercriminals craft more convincing messages, including the use of enriched grammar and language, which can make it more difficult to detect phishing.
  2. The leveraging socio-political strife, such as the Russian invasion of Ukraine, to play on the emotions of the recipient and plead for donations or offer information about the situation.
  3. The exploitation of known vulnerabilities.
  4. Politically motivated attacks on infrastructure that either directly or indirectly impact business operations.
  5. Directed attacks on work-from-home and remote employees, whose level of security is often not as robust. These employees often have access to some of the most sensitive data in your organization.

How to Fight Phishing Attacks

In addition to having comprehensive cybersecurity measures in place that include threat detection, penetration testing, 24/7/365 monitoring, and vulnerability patching, one of the most critical steps every organization can take to combat phishing threats is to provide ongoing awareness training to every employee.

As phishing attacks become more sophisticated, keeping the potential threat top of mind for all employees is essential. An employee may not think twice about a request to update a password for a commonly used website or to submit private information to what appears to be a reliable vendor. Employees blindly trust that an antivirus program will weed out the spam in their digital mailboxes, without considering that an email could be a phishing attack.

Your training needs to be more than a brief presentation or a handout. Cybersecurity training should be comprehensive and provided on a regular basis, to communicate updates and reinforce these best practices:

  • Secure personal information – Do not use the same password on multiple devices and at multiple sites; this includes personal networks. Hackers can target specific individuals and explore social media platforms and other networks to gain information. Passwords should be complex and changed periodically, and double authentication should be applied whenever possible.
  • Use available malware and virus protection programs – If professional devices are prompting for updates, make sure employees are not ignoring reminders. Also encourage employees to digitally secure their personal devices and provide accessible security options. By incorporating best security practices into their personal lives, employees are more likely to implement these practices in their professional realms.
  • Use secure networks only – It can be tempting for employees to login to an office network from home, even if it is simply to check an email. Unsecured access, however, can give hackers the opportunity they need to infiltrate secure networks.
  • Be aware of threats – Train employees to be suspicious of emails requesting private information, such as credit card details. If an email requests immediate action, then a moment should be taken to confirm the request. Nothing is so immediate that your employees can’t take the time to verify a request with a supervisor.

Your employees can be your biggest risk, but they can also become a strong defense against phishing attacks. Knowledge is the first step in preventing data breaches, and by educating employees regularly, you can establish a culture of best security practices.

In addition to providing employee training, companies must develop a zero-trust culture with policies that prohibit employees from clicking links, opening files, or conducting any financial transactions through email communications. Redundant verification processes should be required for any action, and internal file sharing should be accomplished through a company’s secure, shared drive.

Learn more from Ideal Integrations.

passwords offer an illusion of security

Usernames and Passwords: An Illusion of Security 

By | Data Security, Email Security

Many organizations, especially small businesses, rely on username and password protocol as their primary cybersecurity protection method. They assume that requiring employees to use strong passwords, and then requiring regular changes them, is an adequate approach to cyberattack prevention. On the contrary: Relying primarily on passwords alone is not as secure as most of us are led to believe.

The Verizon 2023 Data Breach Investigations Report revealed two of the major findings that bear directly on this issue. Of the data breaches that were analyzed:

  • 74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.
  • 83% of breaches involved External actors.
  • Ransomware is present today in more than 62% of all incidents.

People Don’t Use Best Practices with Passwords

Most people don’t want to remember numerous usernames and passwords for multiple accounts and programs, and many don’t feel confident in their ability to accurately recall that information. More so, they dislike having to regularly change their password for individual accounts, and being forced to forget previous a password in exchange for new ones. To deal with this frustration, they tend to do one of two things (or both):

  • Re-use the same usernames and passwords across multiple accounts
  • Write down their usernames and passwords, and store them in their workspace (usually in a place that is easy to find, often on their desk or in a top drawer)

Recent stats  reveal that 75% of people globally don’t adhere to widely-accepted password best practices with 64% either using weak passwords or repeat variations of passwords to protect their online accounts.

  • Remember, 80 percent of all hacking-related breaches leveraged weak or stolen passwords
  • Repeated passwords used on multiple sites increase the risk of successful breaches on internal company sites. If passwords on personal accounts (online shopping, banking, personal email, social media, etc.) match passwords on company sites (employee login, company email, etc.), hackers can apply those identical passwords to other accounts with the same or similar usernames – and many people use the same username format across multiple accounts (e.g., John_Doe, or John.Doe).
  • This means that any password, no matter how strong it is, is vulnerable the more often it is used with multiple accounts, especially when it is associated with the same (or similar) username.
  • If 83 percent of breaches were perpetrated by external actors, this means that 17 percent were committed by insiders. Many internal attacks don’t have to target one particular employee’s access; in many cases, accessing one member of a team or department (or even the entire company) is all that is required. Thus, having an employee record usernames and passwords, and store them in an obvious place, makes internal attacks much easier and more likely.

Passwords Are Not Enough

Having a system of employee usernames and passwords is not enough. Passwords, to be at all effective, need to be randomly generated strings of characters, changed frequently, and accompanied by two-factor authentication and protected by additional layers of security, backup and recovery, and monitoring. And even though 91% of people understand that reusing passwords is a security risk, more than 6 in 10 people admit to reusing passwords.(LastPass)

Passwords alone cannot protect your organization. Even passwords your employees use outside of your company – say for their pizza delivery service – can end up compromising your network. Credentials are a hot commodity on the dark web, and cyber criminals continue to find more sophisticated ways to steal credentials or trick employees into handing over credentials.

thinkCSC is here to help ensure your cybersecurity systems are strong and vibrant, to assist you in your preparation for and response to cyberattacks. Together, we can avoid the mistakes that are common among so many businesses and organizations, in the end becoming as secure as possible in today’s technological world.

Employees Can Be the First Line of Defense

While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all –organizations – businesses of all sizes, government entities, schools, hospitals, and –others – to invest in stronger IT security that includes offsite backup and recovery and managed security. These protections, combined with ongoing staff training, password manager tools, multi-factor authentication, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.

We are here to help you with all of your security needs, from password management and MFA to cybersecurity and more. Get in touch.